SMARTSHEET INC - (SMAR)
10-K Filing Date: March 20, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Our business involves the storage, transmission, and processing of a large quantity of customer data, including confidential and sensitive information. Our management team and Board recognize the significance of maintaining the trust of our customers and business partners, including the importance of managing cybersecurity risks as part of our larger risk management strategy. While everyone at our company plays a part in managing these risks, oversight responsibility for cybersecurity is shared by our management team and our Board, including its Audit Committee.
We have adopted a variety of data security controls, and we have a defined protocol for identifying, containing, and remediating cybersecurity incidents. Our cybersecurity program is aligned with our overall enterprise risk management strategy and leverages the National Institute of Standards and Technology security framework to drive strategic direction and maturity improvement. This program is led by our Chief Information Security Officer ("CISO"), who has served in the role since 2020, has over 10 years of experience leading cybersecurity programs at large enterprise organizations, and holds a Ph.D. and master’s degree in Information Assurance and Security. We also utilize our Information Security Steering Committee (“ISSC”), a cross-functional group of senior internal stakeholders responsible for identifying and addressing significant security risks that could impact customers, our platform, or our corporate environment. The ISSC makes recommendations to escalate risks to senior leadership and our Board, and also determines, and reviews annually, our security risk tolerance including setting acceptance criteria for security related risks.
We follow a documented risk management procedure that involves creating and monitoring remediation plans with the aim of mitigating our exposure to cybersecurity risks. Our Active Defense and Response Team (“ADRT”) is designed to monitor and detect threats to our customers, platform, and our corporate environment, and provides a regular security briefing to the ISSC on relevant threat items. This information is used to escalate items to the appropriate threat level as necessary. ADRT members also regularly test the incident response capability of our information systems, using tests and exercises to determine their effectiveness.
Additionally, we have adopted a Third Party Risk Management Policy (“TPRM Policy”) to provide an integrated framework for the review and selection of our prospective or current third-party contractors and providers. The goal of the TPRM Policy is to identify and analyze risks before engaging in or continuing business with such third parties, so that these risks can be mitigated, monitored, and managed on an ongoing basis. In addition, our Supply Chain Review Board, composed of a cross-functional group of internal management team members, uses a risk-based due diligence approach to evaluate third-party providers. We endeavor to only engage third-party providers after completing a review of the risks associated with such engagement and in accordance with the TPRM Policy. We routinely monitor these third-party engagements, including, among other measures, by requesting regular updates to the provider’s security documentation and by reviewing the scope of our agreements with the provider.
Further, we have achieved certifications for internationally recognized information security and data privacy standards developed by the International Organization for Standardization (“ISO”), including ISO/IEC 27001:2013; ISO/IEC 27017:2015; ISO/IEC 27018:2019; and ISO/IEC 27701:2019. We also maintain certifications through a variety of other data security standards, including SOC2 and FedRAMP. These certifications demonstrate our commitment to industry-leading security and privacy best practices.
To ensure adherence to our cybersecurity policies and compliance with information security standards, independent third parties audit our practices each year and conduct infrastructure and application security assessments and penetration testing. We also mandate regular cybersecurity training for our employees. Further, our security incident response policies and procedures are documented and provided to all authorized personnel to guide them in detecting, responding to, and recovering from security events and incidents.
49
Though we have previously experienced, and may experience in the future, cybersecurity incidents, we do not believe that any of these incidents have materially affected our business operations, financial condition or operating results. In the future, we may experience a material Cybersecurity Threat that could adversely affect our business operations, financial condition or operating results. For more information regarding our cybersecurity risks and the related potential impacts on our business, see the risk factor titled “Our failure to sufficiently secure our products and services may result in unauthorized access to customer data, a negative impact on our customer attraction and retention, and significant liabilities.”
Governance
Our Board engages in risk oversight on a broad range of matters related to cybersecurity. They demonstrate independence from management and exercise oversight for the development and performance of our internal information security controls. Our CISO provides quarterly updates to the Audit Committee and meets regularly with our Chief Executive Officer and other senior management members to discuss cybersecurity matters. Our Audit Committee regularly reviews metrics and updates related to Cybersecurity Threat response preparedness, program maturity milestones, risk mitigation status, and the current and emerging threat landscape. Additionally, we consider director and Audit Committee member Alissa Abdullah to be a cybersecurity expert because of her background and experience, with a Ph.D. in information technology management, current service as Mastercard Incorporated’s deputy chief security officer, and prior service in high level information and technology management roles.