Tenable Holdings, Inc. - (TENB)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Tenable recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data and our exposure management solutions. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, our critical data (including without limitation intellectual property, confidential information that is proprietary, strategic or competitive, customer vulnerability data, and information systems data), and exposure management solutions.
Our Information Security function is overseen by our Chief Security Officer, or CSO, and is supported by our Chief Information Officer, Product Engineering Team Lead, Chief Legal Officer, or CLO, and Head of Global Privacy. Our information security function is responsible for identifying, assessing and managing cybersecurity threats and risks and works to monitor and evaluate our threat environment and risk profile using various methods. These methods include conducting vulnerability assessments and threat assessments in certain environments for internal and external threats,
42
scanning certain threat environments, analyzing certain reports of threats and actors, conducting internal audits for certain systems, evaluating our and our industry’s risk profile, coordinating with law enforcement concerning select threats, and engaging with third-party service providers to conduct external audits, and threat assessments for certain systems, provide intelligence feeds, and conduct red/blue team testing and tabletop incident response exercises.
We implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our information systems and data depending on the environment. This includes maintaining an incident response plan, vulnerability management policy, and disaster recovery and business continuity plan, conducting risk assessments for certain environments, implementing security standards and certifications for certain products and systems, encrypting data in transit and at rest, controlling data access in certain environments, using multiple network controls in certain environments, segregating data, monitoring systems, performing regular security assessments for certain systems, training employees, maintaining cybersecurity insurance, maintaining dedicated cybersecurity staff, and conducting internal and external penetration tests.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. This integration is designed to ensure that cybersecurity considerations are part of our decision-making processes. Our senior management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the Cybersecurity Risk Management Committee, or Cybersecurity Committee, of the Board of Directors, or Board.
We use third-party service providers to assist us from time to time in identifying, assessing, and managing material risks from cybersecurity threats, including for example cybersecurity consultants and software providers, managed cybersecurity service providers, threat intelligence service providers, forensic investigators, penetration testing firms, dark web monitoring services, and professional services firms, including legal counsel and auditors. By partnering with these specialized providers, we can leverage their insights and expertise to implement cybersecurity strategies and processes that are designed to align with industry best practices.
Our collaboration with third parties includes cybersecurity audits, threat assessments, and consultation on security enhancements. We have established processes designed to manage the cybersecurity risks associated with working with third-party service providers. We evaluate the risks associated with third parties before engagement and maintain ongoing monitoring of such third parties designed to ensure compliance with our security standards. This includes security questionnaires and assessments, as well as external attack surface management. Depending on the nature of the services provided, the sensitivity of the information systems and data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.
See Risk Factors in this Annual Report on Form 10-K for a description of the risks from cybersecurity threats that may materially affect us and how they may do so.
Governance
Our Board addresses cybersecurity risk management as part of its general oversight function. The Cybersecurity Committee is tasked with assisting the Board in fulfilling its oversight responsibility for our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
The Cybersecurity Committee bears the primary responsibility for oversight of the management of risks related to the Company’s information technology use and protection, cybersecurity, and product security. The Cybersecurity Committee consists of directors with cybersecurity and other expertise including risk management, technology and finance. The Cybersecurity Committee assists the Audit Committee and the Board in overseeing Tenable’s overall process of risk assessment and enterprise risk management.
Our CSO is responsible for implementing and maintaining our cybersecurity risk assessment and management processes. Our CSO has over 25 years of experience in cybersecurity, including serving as a chief security and strategy officer at another company and founding a cybersecurity operational technology threat intelligence and solutions platform. Our CSO oversees and maintains our information security management framework and is responsible for defining and
43
implementing our information security strategy, hiring appropriate personnel, communicating key cybersecurity priorities to relevant personnel, and managing cybersecurity budgets and cybersecurity processes.
Our CSO seeks to regularly obtain information about relevant developments in cybersecurity, including potential threats and risk management techniques to help shape our approach to preventing, detecting, mitigating, and remediating cybersecurity threats. Our CSO is also responsible for implementing and overseeing processes for regularly monitoring our information systems and data, including the conducting of periodic audits of certain systems to identify potential vulnerabilities. The CSO reports directly to the Chief Executive Officer and provides regular updates to our Chief Financial Officer, and CLO, on certain cybersecurity risks and incidents.
In the event of a cybersecurity incident, the CSO initiates our incident response plan that includes actions designed to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Our incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including reporting to the Cybersecurity Committee and the Board for certain cybersecurity incidents.