HashiCorp, Inc. - (HCP)
10-K Filing Date: March 21, 2024
Item 1C. Cybersecurity
Risk management and strategy
We recognize the importance of developing, implementing, and maintaining robust cybersecurity measures to help safeguard our information systems and protect the confidentiality, integrity, and availability of those systems and our data maintained on them.
Managing Material Risks & Integrated Overall Risk Management
We maintain risk management activities to identify, assess, prioritize, and address cybersecurity risks and we incorporate them into our overall risk management processes. Our Security team is responsible for performing cybersecurity risk assessments over various systems and processes on an ongoing basis. The results from risk assessment activities are reviewed to prioritize the mitigation of identified risks, and the need for risk mitigation may influence business or operational strategy, project roadmaps and timelines, or other decision-making, as needed.
Our Security Risk Committee is comprised of senior leaders across the company, and our Chief Security Officer briefs this committee on emerging risk topics and the company’s top security risks on a quarterly basis. The Chief Security Officer also participates in our Risk Management Committee and presents on security risks as part of that group’s discussion of enterprise risk.
Engagement of Third-parties on Risk Management
We engage cybersecurity assessors, and other service providers, as needed, in evaluating and testing our risk management systems. These engagements help us to leverage specialized knowledge and insights to better align our cybersecurity strategies and processes with applicable industry standards. Our collaboration with these third parties includes regular control assessments, threat and vulnerability assessments, and consultation on security enhancements.
Oversee Third-party Risk
We maintain standard processes to oversee and manage risks associated with use of third-party service providers. We conduct security assessments of third-party service providers with access to our information systems or sensitive data before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. Such practices include recurring assessments of critical third-party service providers’ cybersecurity programs and ongoing monitoring, detection, and response capabilities used by our security engineers. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-party service providers. In addition, our Legal team reviews the associated vendor contracts to ensure they include appropriate terms, including applicable security provisions.
Risks from Cybersecurity Threats
We have not encountered risks from cybersecurity incidents or challenges that have materially impaired our business strategy, results of operations, or financial condition. Such risks may evolve in the future to have material impact, and our cybersecurity risk management processes, including those described here, may not always operate as designed or be effective. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factor entitled “Risks Related to Our Business and Operations: Problems with our internal systems, networks, or data, including actual or perceived breaches or failures by us or our partners, could cause our products to be perceived as insecure, underperforming, or unreliable, which would damage our reputation, and our financial results.”
53
Governance
Given the potential significance of cybersecurity threats to our operational integrity and stakeholder confidence, our Board of Directors has established oversight mechanisms to promote effective governance in managing such risks.
Board of Directors Oversight and Management’s Role Managing Risk
The Audit Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The CSO is responsible for informing the Audit Committee on cybersecurity risks and presents to the committee at least semi-annually. Additional discussions with the Audit Committee or the full Board of Directors may occur on an as-needed basis. These briefings encompass various topics, including:
● Current cybersecurity landscape and emerging threats;
● Status of ongoing cybersecurity initiatives and strategies;
● Incident reports and learnings from any cybersecurity events; and
● Compliance with regulatory requirements and industry standards.
The Audit Committee reviews and advises on Management’s strategic decisions related to cybersecurity, offering guidance and approval for major initiatives when deemed appropriate.
Risk Management Personnel
Cybersecurity risk management practices are ultimately led by our CSO, who has tenured experience in the cybersecurity field and is recognized within the industry. The CSO is supported by personnel across the Security organization in assessing, monitoring, and managing cybersecurity risks. Security personnel have relevant experience and credentials to perform their associated risk management responsibilities, and with the help of these individuals and teams, the CSO oversees governance programs, confirms compliance with relevant security requirements, manages known risks, and educates the company on cybersecurity.
Monitor Cybersecurity Incidents
The CSO implements and oversees processes for the regular monitoring of our information systems, primarily through Security’s Threat Detection & Response (TDR) team. This includes the deployment of technical security monitoring and alerting measures to identify potential incidents. In the event of a cybersecurity incident, the Security organization and relevant teams throughout the company follow a formalized, documented incident response plan. This plan includes immediate actions to assess and mitigate the impact of an incident, as well as subsequent actions to remediate and help prevent future incidents of a similar nature.