A10 Networks, Inc. - (ATEN)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We have established processes to assess, identify, and manage significant risks from cybersecurity threats as part of our broader enterprise-wide risk management system and processes, which is overseen by our Board of Directors and our Audit Committee, along with our executive management. Our cybersecurity policies, standards, processes, and practices are part of our information security management program, which is aligned to ISO 27001, an international standard to manage information security. ISO 27001 is published by the International Organization for Standardization (ISO), the world's largest developer of voluntary standards, and the International Electrotechnical Commission (IEC).

Our information technology (“IT”) cybersecurity team, led by our Head of Information Security, is tasked with monitoring and assessing cybersecurity and operational risks related to information security and system disruption. The team employs measures designed to protect against, detect, and respond to cybersecurity threats, and has implemented processes and procedures aligned with our information security management system. These include:

Enterprise-wide security framework and cybersecurity standards;
Cybersecurity awareness and training programs;
Security assessments and monitoring:
Restricted physical access to critical areas, servers and network equipment;
Cyber incident response, crisis management, business continuity and disaster recovery plans; and
Third-party IT vendor risk management process to identify, assess, and manage risks presented by our IT vendors and business partners.

Our IT cybersecurity team maintains an incident response plan designed to respond to potential cybersecurity threats, such as security breaches and cyberattacks, and to protect and preserve the confidentiality, integrity, and continued availability of information owned by, or in the care of, the Company. Our incident response plan coordinates the activities that we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate significant cybersecurity incidents to our global crisis management plan, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. We conduct tabletop exercises for tactical response readiness, perform regular security scans of our environment both from an external and internal perspective, as well as work with a qualified third-party vendor to perform penetration tests of our environment. These penetration tests are focused on specific objectives to assist us in managing our cybersecurity threat risks. Any identified risks are included in our overall risk management program, which we validate on a regular basis.

We conduct organization-wide cybersecurity training and compliance exercises in connection with our information security program. This training consists of educational material and compliance testing administered to, and completed by, all of our employees on an annual basis, which is tracked and recorded throughout the year. Results are shared with executive management, the Audit Committee, and the Board of Directors. Additionally, employee phishing tests are conducted on a regular basis.

Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our Enterprise Risk Management Assessment framework. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence.

In our risk factors, we describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have significantly affected or are reasonably likely to significantly affect us, including our business strategy, results of operations, or financial condition. See our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.



45


Cybersecurity Governance

Our Board of Directors, executive management and Audit Committee are actively engaged in the oversight of IT risk management, including cybersecurity risk. Executive management and the Audit Committee share responsibility for overseeing our risk exposure to information security, cybersecurity, and data protection, as well as the steps management has taken to monitor and control such exposure. The Board of Directors, executive management and the Audit Committee receive quarterly reports on IT controls and information security. Additionally, on at least an annual basis, the Audit Committee reviews and discusses with management our policies and programs with respect to the oversight of IT risk and cybersecurity threats.

Oversight for assessing and managing cybersecurity risk is performed by our IT cybersecurity team, with additional oversight performed by our Human Resources, Internal Audit and Legal Departments. Our executive management is briefed at least quarterly from these teams. Members of the Board of Directors, Audit Committee, and executive management are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.

Our executive management, the Audit Committee, and the Board of Directors are notified of any significant cybersecurity incidents through an escalation process that is established in our incident response plan and incorporated into our disclosure controls and procedures. Additionally, we maintain a third-party vendor relationship which is available to the team for on-demand incident response and investigation, as needed.

Our IT cybersecurity team is led by our Head of Information Security, Sean Pike. Mr. Pike has over 25 years of experience leading and scaling cybersecurity practices across regulated industry and critical infrastructure. Most recently, he served as CISO at Business Wire, where he was responsible for transforming the security and compliance organizations to meet the needs of a globally distributed SaaS newswire. Prior to Business Wire, Mr. Pike held leadership positions at VMware, IDC, and Nielsen Radio. His work at the Company includes aligning cybersecurity, product security, and security compliance initiatives to business goals. Mr. Pike holds a JD in law from Syracuse University and a M.S. in telecommunications and network management from Syracuse University.