DOCUSIGN, INC. - (DOCU)

10-K Filing Date: March 21, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.

Our cybersecurity risk management program is guided by industry standards developed by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”), and other relevant organizations.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program and utilizes common reporting channels and governance processes that apply across other risk areas. While everyone at our company plays a part in managing cybersecurity risks, as discussed in more detail under “Cybersecurity Governance” below, our board of directors, both directly and through delegation to our Audit Committee (the “Audit Committee”), and our senior management team are actively involved in the oversight of our cybersecurity risk management program. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, integrity, and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.

Our cybersecurity risk management and strategy includes:

Our dedicated Security team, which performs periodic risk assessments to identify and assess cybersecurity threats, vulnerabilities, their severities, and potential mitigations. The team leverages both top-down and bottom-up risk processes and technologies to identify, manage and monitor cyber threats and vulnerabilities. The team also manages our response to cybersecurity incidents.
Incident Response Playbooks and Standard Operating Procedures (“SOP”) outlining procedures for detecting, responding to, and mitigating cybersecurity incidents. Depending on the nature and severity of an incident, this process provides for escalating notification to our CEO and the board of directors.
The use of external service providers, where appropriate, to assess, test or otherwise assist with certain aspects of our security controls and processes, as well as maturity assessments of our cybersecurity program.
Implementation of new hire and annual data privacy and cybersecurity training of all employees, including senior management; annual role-based training of employees with specific access to systems, devices, or locations, and targeted cybersecurity simulation training held on a recurring basis.
A third-party risk management process that identifies and mitigates cybersecurity threats associated with our use of third-party service providers. Such service providers are subject to risk tiering, security risk assessments, continuous monitoring including investigation of security incidents that have impacted our third party service providers, as applicable.

We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. While we have experienced cybersecurity incidents in the past, we believe our current processes, systems and oversight with respect to the management of risks associated with cybersecurity threats are effective. If we were to experience a material cybersecurity incident in the future, such incident may have a material effect, including on our business strategy, operating results, or financial condition. For more information regarding the risks we face from cybersecurity threats see “Risk Factors.”

Cybersecurity Governance

Securing the information of our customers, employees, contractors, and third party service providers is important to us. We have adopted physical, technological, and administrative controls on data security, and have defined procedures for data incident detection, containment, response, and remediation. While everyone at our company plays a part in managing these risks, oversight responsibility is shared by our board of directors, our Audit Committee, and management. Accordingly, our management team provides regular cybersecurity updates to our board of directors and
DocuSign, Inc.| 2024 Form 10-K | 39


regular updates on cyber risk management to the Audit Committee. We also maintain information security risk insurance coverage.

We have recently also established a Security Governance Council (“Council”) that provides strategic guidance for the protection of our information, technology, and physical assets, including the definition of security risks and the prioritization of the implementation of associated controls. The Council membership is led by the Chief Information Security Officer (“CISO”) and includes relevant senior executives and has begun to meet at least quarterly, and will reconvene on an emergency basis when necessary to respond to potentially material cybersecurity incidents. The CISO reports to the Chief Information Officer (“CIO”) and is responsible for management of cybersecurity risks and the protection and defense of our networks, systems and data. The CISO manages a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. Our CISO has over 20 years of experience in IT and Information Security across security architecture, incident response, and threat intelligence programs. Our CISO also holds a bachelor’s degree in computer science and maintains Certified Information Systems Security Professional (“CISSP”) certification.

Members of executive leadership are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described herein, including the operation of our incident response plan. Our program is regularly evaluated by internal and external experts with the results of those reviews reported to members of executive leadership, and the Audit Committee. We also actively engage with key vendors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures.