Asana, Inc. - (ASAN)
10-K Filing Date: March 14, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have implemented and maintain a formal information security management program designed to identify, assess, and manage material risks from cybersecurity threats to our critical networks, services, and data. Our information security management program includes a dedicated security team led by our Head of Security that is responsible for implementing security controls and monitoring for suspicious activity. Our information security management program also includes a cybersecurity risk management process which aims to identify and assess material risks from cybersecurity threats, including from vulnerabilities within Asana systems and new and emerging threats to Company operations by using automated and manual tools, subscribing to and analyzing reports and services that identify certain cybersecurity threats, conducting scans of certain environments, evaluating our and our industry’s risk profile, evaluating threats reported to us, and conducting audits and threat assessments.
We consider our information security management program and the cybersecurity governance structure described below to be part of our overall enterprise risk management program.
Depending on the nature of the environment, system and/or data, we implement and maintain various technical and organizational measures, processes, standards and/or policies designed to manage and mitigate cybersecurity risks, including, for example, as may be appropriate: employee training, software design review, static code analysis, coordinated vulnerability disclosure and bug bounty program, penetration testing performed by an outside assessment firm, vulnerability scanning and management, endpoint and network security monitoring, access controls, vendor risk management, asset management, and software updates and patching.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including as applicable to our environments, systems, and data. These third-party service providers may include, but are not limited to, cybersecurity consultants, cybersecurity software providers, cybersecurity assessment firms, and forensic investigators.
To operate our business, we also use third-party vendors to perform a variety of functions, including but not limited to, developing aspects of our platform, hosting and delivering our platform and related services, supporting the sale and marketing of our products and services, and providing technical and customer support. Depending on the nature of the services provided, the sensitivity of the systems and data at issue, and the identity of the vendor, our vendor management process may involve different measures designed to help identify, assess, and manage cybersecurity risks associated with the vendor, such as conducting risk assessments and re-assessments, reviewing of the vendor’s security program, and imposing contractual cybersecurity-related obligations on the vendor. For
54
example, our security, privacy, and IT teams may review the vendor’s security protocols, data retention policies and privacy policies, privacy practices, and security track record, and advise on implementation best practices.
See the section titled Item IA. Risk Factors, including “If our information technology systems, or those of third parties upon which we rely, or our data are or were compromised or operate in an unintended way, we could experience adverse consequences, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences”, for additional information about the risks from cybersecurity threats that may materially affect our business.
Governance
The Audit Committee of our Board of Directors is responsible for assisting the Board in overseeing the Company’s risk assessment and risk management processes, including risks related to cybersecurity and data privacy. Our Head of Security, who reports to our Head of Engineering and works with other members of management, manages the Company’s cybersecurity program. Our Head of Security holds a master’s degree in computer engineering from the Rochester Institute of Technology and has over 15 years of cybersecurity experience. Our Head of Engineering holds a master’s degree in computer science from the University of Illinois Urbana-Champaign and has nearly two decades of leadership experience at technology companies overseeing key engineering functions. Our Head of Security provides regular updates to the Audit Committee and the Board on cybersecurity risks faced by the Company and the Company’s processes for risk identification, assessment, and management.
Our management team is involved in assessing and managing the Company’s material risks from cybersecurity threats, including by hiring appropriate personnel, considering cybersecurity risk in our enterprise risk management strategy, helping prepare for cybersecurity incidents, and participating in the cybersecurity incident response and remediation process for incidents escalated to it including determining materiality. Our management that is involved in these processes includes our Head of Security, Head of Global Privacy, Head of Engineering, Head of Enterprise Technology & IT, Chief Business Officer, Chief Financial Officer, and General Counsel. Management also escalates, as appropriate, reports relating to cybersecurity incidents or threats to the Audit Committee.