CrowdStrike Holdings, Inc. - (CRWD)

10-K Filing Date: March 07, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
As a provider of cybersecurity solutions, we are passionate about cybersecurity risk management. At CrowdStrike, cybersecurity risk management is an integral part of our overall enterprise risk management program.
Our cybersecurity risk management program, which includes data privacy, product security, and information security, is designed to align with our industry’s best practices. Our program provides a framework for identifying, monitoring, evaluating, and responding to cybersecurity threats and incidents, including those associated with our use of software, applications, services, and cloud infrastructure developed or provided by third-party vendors and service providers. This framework includes steps for identifying the source of a cybersecurity threat or incident, including whether such cybersecurity threat or incident is associated with a third-party vendor or service provider, assessing the severity and risk of a cybersecurity threat or incident, implementing cybersecurity countermeasures and mitigation or remediation strategies, and informing management and the audit committee of our Board of Directors (the “Audit Committee”) of material cybersecurity threats and incidents.
Our cybersecurity team is responsible for assessing our cybersecurity risk management program and our incident response plan, which we regularly test through table-top exercises, and testing of our security protocols through additional techniques, such as penetration testing. In addition, we regularly engage independent third-party auditors to evaluate our compliance with various security compliance standards. We also conduct internal annual assessments of our cybersecurity risk management program. We review or update our cybersecurity policies, standards and procedures annually, or more frequently as needed, to account for changes in the threat landscape, as well as in response to legal and regulatory developments. Our cybersecurity efforts also include mandatory training for all employees and contractors on CrowdStrike’s security and privacy policies. We also have a clearly defined acceptable use policy, and we require employees to certify to it. We also require employees to certify their adherence to our code of conduct. We also periodically send our employees simulated phishing emails to test their compliance with our policies. Although we have continued to invest in our diligence, onboarding, and monitoring capabilities over our critical third parties, including our third-party vendors and service providers, our control over the security posture of our critical third parties is limited, and there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in the information assets owned or controlled by such third parties.
A cross-functional incident response team, comprised of representatives from information technology, information security, product security, engineering, privacy and legal, is responsible for the monitoring and disposition of potential occurrences such as data breaches, intrusions, and other security incidents and implementing our detailed incident response plan. Our incident response plan includes processes and procedures for assessing potential internal and external threats, activation and notification, crisis management, and post-incident recovery designed to safeguard the confidentiality, availability, and integrity of our information assets.
In fiscal 2024, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors— Risks Related to Our Business and Industry” in this annual report on Form 10-K.
Cybersecurity Governance
Our Board of Directors has oversight responsibility for our overall enterprise risk management, and has delegated cybersecurity risk management oversight to the Audit Committee. The Audit Committee is responsible for ensuring that management (i) has policies, processes, and procedures designed to identify, monitor, evaluate, and respond to cybersecurity risks to which the company is exposed and (ii) takes steps to mitigate or remediate cybersecurity risks, threats and incidents, including monitoring the activities of the cybersecurity team and reviewing and updating our cybersecurity policies, processes and procedures. The Audit Committee also reports material cybersecurity incidents to our full Board of Directors.
Management is responsible for day-to-day risk management activities, including identifying and assessing cybersecurity risks, establishing processes to ensure that potential cybersecurity risk exposures are monitored, implementing appropriate mitigation or remediation measures and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our Chief Information Security Officer (“CISO”). Our CISO and dedicated personnel are certified and experienced
56

Table of Contents
information systems security professionals and information security managers with many years of experience across a variety of technology sub-specialties.
Our CISO receives reports from our cybersecurity team and monitors the prevention, detection, and mitigation or remediation of cybersecurity risks. Management, including the CISO, regularly updates the Audit Committee and the Board of Directors on the Company’s cybersecurity programs, material cybersecurity risks, and mitigation or remediation strategies.