PagerDuty, Inc. - (PD)
10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity
Risk management and strategy
We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic, or competitive in nature, customer data, and the personal information of our employees (collectively, “Information Systems and Data”).
Our Chief Information Security Officer (“CISO”), along with the information security, engineering, and legal functions at the Company, help identify, assess, and manage the Company’s cybersecurity threats and risks. They work to identify and assess risks from cybersecurity threats by monitoring and evaluating the threat environment using various methods including manual and automated tools, subscribing to reports and services that identify cybersecurity threats, evaluating our and our industry’s risk profile, conducting audits and threat assessments, conducting vulnerability assessments, and external threat intelligence.
Depending on the environment, system, and data, we implement and maintain certain technical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident response procedures, vulnerability management process, disaster recovery/business continuity plans, encryption, network security controls, user access controls including multifactor authentication and role-based access, data segregation, asset management, systems monitoring, vendor risk management program, employee training, penetration testing, cybersecurity insurance, and dedicated cybersecurity staff.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes, including by prioritizing our risk management processes and mitigating cybersecurity threats that are more likely to lead to a material impact to our business.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, professional services firms, cybersecurity consultants, managed cybersecurity service providers, penetration testing firms, and as needed, forensics investigators.
We also use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, and various supply chain resources. We have a vendor management program to manage cybersecurity risks associated with our use of these providers which includes, depending on the vendor, nature of the services provided, and sensitivity of the Information Systems and Data at issue: different levels of assessment designed to help identify cybersecurity risks associated with the vendor, security questionnaires, review of security assessments, and imposition of contractual obligations related to cybersecurity.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part I. Item 1A. Risk Factors in this Annual Report on Form 10-K.
Governance
Our board of directors oversees the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing the Company’s cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Technology Officer (“CTO”), CISO, and Chief Information Officer (“CIO”), who have decades of experience in cybersecurity and information technology. Our CTO has extensive experience in computer science, and our CISO has extensive experience in computer security and enterprise data.
Company management, including the CTO, CISO, and CIO, is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and
49
communicating key priorities to relevant personnel. Management is also responsible for approving budgets for spending on cybersecurity, helping prepare for cybersecurity incidents, and approving cybersecurity processes.
Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including to the CISO, CTO, and CIO, as appropriate. The CTO, CISO, and CIO work with the Company’s incident response team to help the Company mitigate and remediate such cybersecurity incidents. In addition, the Company’s incident response and vulnerability management processes include updates to the audit committee of the board of directors as appropriate.
The audit committee receives periodic reports from the CTO and/or CISO concerning the company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them. The audit committee also receives various reports, summaries or presentations related to the Company’s cybersecurity threats, risk and mitigation. The audit committee will keep the full board of directors apprised of the company’s cybersecurity risk processes and significant developments related to cybersecurity.