GoDaddy Inc. - (GDDY)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
GoDaddy maintains an enterprise-wide cybersecurity program designed to manage risks to the company's information systems from cybersecurity threats and cybersecurity incidents.
Board and Audit and Finance Committee Governance
Our board of directors (the Board) is committed to managing data privacy and cybersecurity risks as part of the company's overall risk management framework. The Board oversees the company's cybersecurity risk management program through the Board's Audit and Finance Committee (the Audit Committee). The Audit Committee is responsible for overseeing and reviewing with management GoDaddy's cybersecurity matters. The Audit Committee receives verbal and written reports at least quarterly from GoDaddy's Chief Information Security Officer (CISO) regarding the state of the company's cybersecurity risk management program, the company's current material cybersecurity risks, and general cybersecurity-related risks. The Audit Committee consists of Board members with a diversity of expertise in risk management, technology, finance and cybersecurity, including oversight of security teams. In addition, the company's CISO and Chief Technology Officer (CTO) provide the full Board with written quarterly and annual reports on the state of the company's cybersecurity program and material cybersecurity-related risks, and the chair of the Audit Committee provides a quarterly summary of the Audit Committee's cybersecurity discussion to the full Board.
Management of Cybersecurity Risk
GoDaddy management is responsible for identifying, assessing, and managing the company's material cybersecurity risks on an ongoing basis, establishing processes designed to ensure that potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation and remediation measures and maintaining the company's cybersecurity programs.
60
GoDaddy's CISO has primary responsibility for overseeing the company's programs for identifying, assessing, and managing the company's cybersecurity risks. The CISO reports directly to the company's CTO and also regularly provides reports and updates to the company's CEO on significant cybersecurity-related matters relevant to the company's cybersecurity risk. The company's CISO has more than 18 years' experience in cybersecurity, networking, and related technologies. The company's CTO has more than 25 years' experience in network security and other related technologies. The company's CEO has more than 27 years' experience in ecommerce technology, engineering, and other related areas.
The CISO, CTO, and CEO work together to assess and manage cybersecurity-related risks. The CISO is responsible for day-to-day operations working with an enterprise-wide cybersecurity team that provides 24/7/365 support. The CISO regularly confers with the CTO and CEO on cybersecurity matters, including providing notice of cybersecurity threats and incidents, including those that have the potential to have material effects. The CISO also provides written monthly and quarterly reports on the state of the company's cybersecurity program and cybersecurity risks to the CTO, CEO, and other key executives. As noted above, the CISO and CTO also provide regular reports to the Audit Committee and the Board.
The company's cybersecurity policies, procedures, and strategies primarily are implemented by the company's information security department, which reports directly to the CISO. The company's information security department performs functions that include but are not limited to general security operations, event monitoring, incident response, vulnerability management, policy and procedure development, security compliance, product development support, product security readiness testing, third-party vendor security assessments, and penetration testing. Other personnel and departments in the company also assist with cybersecurity risk management, including but not limited to the company's technology organization and the company's privacy, legal, third-party risk management, and corporate audit services teams. The company also has developed processes to integrate cybersecurity risk management within the company's product and software development processes.
In addition, product teams and business unit leaders are involved in cybersecurity risk management during product development with support from our enterprise-wide security team supervised by the CISO.
Third-Party Consultants and Auditors
GoDaddy maintains industry certifications for some of the services we provide, including certifications relating to our GoDaddy Registrar, Registry, Domains, and Commerce businesses. We use third-party auditors and consultants in connection with obtaining and maintaining our certifications for certain products and services. We also have engaged third-party consultants in the past and may engage third-party consultants in the future for specific projects and engagements, such as responding to cybersecurity incidents. Our third-party financial auditors also include material cybersecurity risks and events as part of their financial audits.
Third-Party Cybersecurity Risk Management
We engage with third parties to provide us with hardware, software, and services to operate our information systems and run our business. In particular, we host a substantial portion of our IT infrastructure and data on services maintained by Amazon Web Services. When engaging a third-party vendor or service provider, we use a variety of processes and controls to identify and oversee risks relating to that engagement, which may include one or more of the following depending on the scope and nature of the engagement:
•incorporating provisions in vendor contracts that require third parties meet certain minimum cybersecurity standards based on the nature of the product or service provided;
•installing monitoring software and other tools to detect malicious software and activities in systems operated by third parties;
•maintaining processes for monitoring for and applying updates and patches to third-party hardware and software to address vulnerabilities; and
•performing security and data privacy assessments before engaging new vendors or acquiring new hardware and software.
We also rely on third parties to provide hardware, software, and services relating to our cybersecurity program. We apply similar controls to third-party providers of cybersecurity services that we apply to other IT hardware, software, and services described above. Our control over and ability to monitor the security posture of third parties with whom we do business remains limited and there can be no assurance that we can prevent, mitigate or remediate the risk of any compromise or failure in the security infrastructure owned or controlled by such third parties. Additionally, any contractual protections with such third parties,
61
including our right to indemnification, if any at all, may be limited or insufficient to prevent a negative impact on our business from such compromise or failure.
Cybersecurity Threat Monitoring and Incident Response
GoDaddy monitors for threats to our information systems on an ongoing basis through a combination of automated intrusion detection monitoring solutions, review of log data, and other related activities. We also require security training for all GoDaddy personnel, including instructions regarding the proper methods for reporting potential cybersecurity incidents that are not captured through our monitoring solutions. We also provide mechanisms for interested third parties, including security researchers and law enforcement to provide us notice of potential cybersecurity threats.
Potential and actual cybersecurity incidents primarily are handled by our internal incident response team, which is supervised by our CISO. Our incident response team is responsible for assessing the potential risk posed by an incident, providing notice to appropriate stakeholders in the company based on the perceived risk, and coordinating the assessment, containment, mitigation, and remediation efforts. Depending on the severity and scope of the incident, we may also engage external consultants. Security personnel and consultants retained by our service providers may also be involved in cases where our vendors experience a cybersecurity incident. In the event of a potentially material cybersecurity incident, we have defined processes for escalating the incident for determination of whether the incident is material and requires filing of a notification on Form 8-K or other notification required under applicable laws and regulations.