VEEVA SYSTEMS INC - (VEEV)

10-K Filing Date: March 25, 2024
ITEM 1C. CYBERSECURITY.
We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data.
Governance
Our Board of Directors formed a Cybersecurity Committee to exercise oversight over our cybersecurity and privacy programs and controls for our products and our internal-use information technology. The Cybersecurity Committee is chaired by a director with cybersecurity expertise and board and executive experience at large technology companies. The Cybersecurity Committee receives reports from management on a regular basis on a range of topics, including the current cybersecurity landscape and emerging threats, the status of ongoing cybersecurity initiatives, incident reports from cybersecurity events, and compliance with regulatory requirements and industry standards.
Our day-to-day cybersecurity and technology risk management efforts, including oversight of our information security management system, are led by our EVP of Internal Operations, a member of our executive leadership team with over three decades of experience in the field, whose cybersecurity experience includes serving as our Chief Information Officer and in executive roles at other companies leading security, operations, audit, and compliance teams. Our Chief Information Security Officer (CISO), who has over two decades of experience in cybersecurity, reports to the EVP of Internal Operations and oversees our security team. Our CISO’s cybersecurity experience includes serving as an enterprise architect and network security architect at a Fortune 25 public retail company.
Cybersecurity risk management is integrated into our broader risk management framework. We have a security points of contact program, which embeds security experts into product development teams. In addition, a security council, chaired by our CISO, meets monthly to discuss the security program, security incidents, and ongoing program objectives. The council is comprised of senior leaders in product development, operations, security, quality, and services, and helps ensure that security remains a top priority across the enterprise.
Risks Management and Strategy
Information Security Management System
We maintain a comprehensive Information Security Management System (ISMS) that is designed to ensure the confidentiality, integrity, and availability of customer data, corporate data (such as intellectual property or source code), employee data, and our systems. Our ISMS is founded on the following industry-leading and regulatory standards:
ISO 9001:2015 – Quality Management Systems
ISO/IEC 27001:2013 – Information Security Management
SOC2 Type II – System and Organization Controls
SEI Capability Maturity Model Integration (v1.3)
IT Infrastructure Library (ITIL) version 3
32
Veeva Systems Inc. | Form 10-K

ICH Q9 – Quality Risk Management
We have achieved ISO 27001 certification for our ISMS, which is managed by our CISO. As a data processor, we are the custodian of customer information that can be both confidential and sensitive. We are also certified to ISO 27018 for privacy controls.
Critical elements of our ISMS include:
Operational measures to monitor and respond to data breaches and cyber attacks. We have application, database, network, and resource monitoring in place that are designated to identify vulnerabilities and protect our applications. Our personnel are trained to promptly report any security incident and any such incident is addressed by our Security Incident Management Policy, which includes a formal incident response process. We also provide a trust site that displays upcoming maintenance downtimes, data center incidents, and relevant security communications.
Vulnerability and penetration testing. Our solutions undergo internal vulnerability testing prior to release. We have built our own internal penetration testing systems and we conduct vulnerability assessments on our software using automated and manual methods, at least annually. In addition, we commission annual vulnerability and penetration testing of our systems by industry-recognized, third-party security specialists.
Training. We require role-based security and security awareness training. All employees receive annual training on our Code of Conduct and our Acceptable Use Policy, which establishes our commitment to protecting the confidential and proprietary information of our customers and partners. In addition, all new hires and contractors must undergo information security awareness training. Subsequent security awareness training is required annually for all active employees and contractors. Employees in certain roles (e.g., customer support representatives, developers, and hiring managers) receive more extensive data security training annually.
Disaster recovery and business continuity. Our solutions are designed to help avoid single points of failure to reduce the chance of business disruption from security breaches, incidents, and other disruptions of systems. We maintain formally documented recovery processes that may be activated in the event of a significant business disruption of our corporate IT infrastructure or the production infrastructure that processes our customer data. We conduct testing, at least annually, to verify the validity of the recovery processes and provide reports on the test results for production infrastructure that processes our customer data to customers via access to a customer portal.
Process for Identifying Material Cybersecurity Incidents
Potentially material cybersecurity incidents are escalated according to our Security Incident Management Policy to a management response team comprising our EVP of Internal Operations, Chief Financial Officer, Chief Accounting Officer, General Counsel, Chief Privacy Officer, and Associate General Counsel (Corporate). Our Security Incident Management Policy is designed to inform the management response team about, and monitor, the prevention, detection, mitigation, and remediation of cybersecurity incidents. The management response team is responsible for timely determining materiality and overseeing the appropriate reporting of certain cybersecurity incidents.
Cybersecurity risks, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our business strategy, results of operations, or financial condition. For additional information regarding risks from cybersecurity threats that we face, and regarding our likelihood of being materially affected by risks from cybersecurity threats, please see item 1A, “Risk Factors.”
Supplier Management Program
Through our Supplier Management Program, we maintain procedures that specify requirements for the assessment of suppliers and contractors who provide services that may impact our product and process quality. These procedures allow us to identify risks from potential cybersecurity incidents associated with our use of products and services from these suppliers and ensure that there is an appropriate level of oversight of our vendors’ quality systems. We perform initial audits and then periodic, risk-based audits on our suppliers to ensure their products and services conform to our established quality standards.
Veeva Systems Inc. | Form 10-K
33