Workday, Inc. - (WDAY)

10-K Filing Date: March 08, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations.
28

Table of Contents
We have implemented a variety of cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess and manage such material risks. Our approach includes: (1) an enterprise risk management program, which includes cybersecurity risks and is periodically refreshed; (2) security and privacy reviews designed to identify risks from many new features, software, and vendors; (3) a vulnerability management program designed to identify hardware and software vulnerabilities; (4) a variety of tools designed to monitor our networks, systems and data for suspicious activity; (5) an internal red team program, which simulates cyber threats, intended to allow us to fix vulnerabilities before threat actors identify them; (6) a threat intelligence program designed to model and research our adversaries; and (7) a variety of privacy, cybersecurity, and incident response trainings and simulations. We leverage industry standard security frameworks, including from the National Institute for Standards in Technology (NIST), the International Organization for Standardization (ISO), and the American Institute of Certified Public Accountants (AICPA), to evaluate our security controls, which vary in maturity across the business and are processes we work to continually improve.
We also maintain a privacy and cybersecurity incident response program to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. Further, we conduct periodic tabletop exercises to test and fortify the controls of our cybersecurity incident response program. The incident response team assesses the severity and priority of incidents on a rolling basis, with escalations of higher severity cybersecurity incidents provided to our management team. If a cybersecurity incident is determined to be a potentially material cybersecurity incident, our disclosure controls and procedures define the steps to determine materiality and disclose such a material cybersecurity incident.
Our risk management approach is supplemented by external and internal enterprise risk management audits, which are designed to test the effectiveness of our security controls. We conduct penetration testing on a periodic basis and have established an external bug bounty program to allow security researchers to help identify vulnerabilities in our systems before they mature into real-world cybersecurity threats. We also maintain a vendor risk management program designed to identify and mitigate risks associated with third-party service providers, including those in our supply chain and those who have access to our customer or employee data or our systems. This program includes pre-engagement diligence, contractual security and notification provisions, and ongoing monitoring, as appropriate.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, financial condition, or results of operations, under the headings “We depend on data centers and other infrastructure operated by third parties, as well as internet availability, and any disruption in these operations could adversely affect our business and operating results,” “If we are unable to successfully integrate our applications with a variety of third-party technologies, our business and operating results could be adversely affected,” and “If our information technology systems are compromised or unauthorized access to customer or user data is otherwise obtained, our applications may be perceived as not being secure, our operations may be disrupted, our applications may become unavailable, customers and end users may reduce the use of or stop using our applications, and we may incur significant liabilities” included as part of our risk factor disclosures included in Item 1A of this report, which disclosures are incorporated by reference herein.
Governance
Our Board of Directors is actively involved in overseeing risks from cybersecurity threats. At least once a year, the Board of Directors discusses our programs and policies related to cybersecurity and risk initiatives and considers them closely both from a risk management perspective and as part of Workday’s business strategy. Additionally, the Board has delegated to our Audit Committee oversight of cybersecurity risks and processes to manage them. Our Audit Committee is comprised entirely of independent directors who regularly evaluate cybersecurity risks.
The materials presented to our Board and Audit Committee include updates on our data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, our incident response plan, and certain cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. The Board and Audit Committee generally receive materials, including a cybersecurity scorecard and other materials indicating current and emerging cybersecurity threat risks, and describing the company’s ability to mitigate those risks, and discuss such matters with our Chief Information Security Officer (“CISO”). Material cybersecurity threat risks are also considered during separate Board and committee meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, and other relevant matters.
29

Table of Contents
Our CISO leads all aspects of our global cybersecurity program, including the identification, evaluation, and prioritization of security risks, as well as the company’s response to material security incidents. Our CISO joined Workday in 2010 and has served as our CISO since April 2018. Our CISO has more than 15 years of experience in cybersecurity and information technology risk management, including at a large public company and a recognized consulting firm. He also has a degree in information systems management.
Our cybersecurity program is also supported by a cross-functional leadership team that contributes to our information security and privacy programs and practices, as well as identifies and mitigates security and privacy risks. This team includes our CIO, our Chief Privacy Officer, and our Chief Legal Counsel. This team contributes to the development of the company’s cybersecurity strategy and is periodically updated regarding evolving cybersecurity risks and the in-place responsive actions. This team is also informed about the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described herein, including the operation of our incident response plan.