Yext, Inc. - (YEXT)
10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our risk management framework is designed to identify, assess, and mitigate potential threats that may impact the achievement of our business objectives. We have established policies and processes for assessing, identifying, and managing risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of potential risks, both internal and external, that could affect our business operations, financial stability, and reputation, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Our risk assessment methodology considers historical data, control effectiveness, and expert analysis to quantify and prioritize risks accordingly.
Following these risk assessments, we consider whether and how to adjust our strategies and controls to reduce the potential impact of identified risks. Our management team is responsible for executing risk mitigation plans and monitoring the effectiveness of these measures. We devote significant resources and designate high-level personnel, including our Chief Information Security Officer who reports to our Chief Technology Officer, who in turn reports to our Chief Executive Officer, to manage the risk assessment and mitigation process.
We work to educate our employees about cybersecurity risk management and the latest threats to enhance their awareness and to foster a security-conscious culture throughout the organization. As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with human resources, IT, and management. Personnel at all levels and departments are made aware of our cybersecurity policies through training.
We have engaged consultants and other third parties in connection with our risk assessment processes. These third parties have assisted us with the design and implementation of our cybersecurity policies and procedures, as well as to monitor and test our safeguards.
We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.
We, like any technology company operating in the current environment, have experienced cybersecurity incidents in the past. However, as of the date of filing this Annual Report on Form 10-K, we have not previously experienced any cybersecurity incidents that were determined to be material. For additional information regarding whether any risks from cybersecurity threats are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K.
Governance
One of the key functions of our Board of Directors is informed oversight of our risk management process, including risks from cybersecurity threats. The audit committee of our Board of Directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face.
Members from our legal, finance, internal audit and technology leadership comprise a management committee on cybersecurity (the “Cybersecurity Risk Committee”), which is primarily responsible to assess and manage our material risks from cybersecurity threats. The composition of our Risk Management Committee reflects a diverse and comprehensive range of expertise, critical for overseeing the effective evaluation and management of potential material cybersecurity risks within Yext. Members of the Cybersecurity Risk Committee hold advanced degrees in key fields relevant to our risk management efforts, including computer science, information security assurance, business administration, engineering, as well as legal, finance, and accounting disciplines. This combination of specialized knowledge and experience, reinforced by industry recognized certifications in these areas, positions the Cybersecurity Risk Committee to effectively evaluate and manage potential material cybersecurity risks.
Our Chief Information Security Officer and our Cybersecurity Risk Committee oversee our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The processes by which our Chief Information Security Officer and our Cybersecurity Risk Committee are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents includes the following:
38
•Continuous monitoring to detect and respond to potential cybersecurity incidents promptly, including the use of advanced security technologies and threat intelligence;
•Engagement with external cybersecurity experts to conduct independent assessments of our cybersecurity posture, ensuring that our defenses remain robust against an evolving the threat landscape;
•Development and testing of incident response processes, plans and procedures to ensure preparedness in the event of a cybersecurity incident, including clearly defined roles and responsibilities enabling a swift and coordinated response;
•Communication and update channels that allow for the timely dissemination of information regarding cybersecurity incidents and the effectiveness of implemented controls. This includes regular reporting to senior management, Cybersecurity Risk Committee and, as appropriate, to the Board of Directors; and
•Regular review and updating of our cybersecurity policies and processes to reflect the changing threat landscape ensuring that our risk management practices remain effective and aligned with industry best practices.
Our Chief Information Security Officer and/or Chief Technology Officer provide quarterly briefings to the audit committee of our Board of Directors regarding our company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. Our audit committee provides regular updates to our Board of Directors on such reports.