AKAMAI TECHNOLOGIES INC - (AKAM)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Our customers rely upon Akamai to power and protect the online experiences of their end user customers. We provide security, content delivery and compute services through Akamai Connected Cloud and maintain internal systems and other data associated with running our business. We have implemented cybersecurity risk management programs and procedures designed to identify and address threats to both internal and customer facing data and systems that are subject to ongoing compliance assessments, certifications and testing.
Under the oversight and direction of the Akamai executive management team and the Audit Committee of Akamai’s board of directors, the Chief Security Officer (the “CSO”) has primary responsibility for overseeing Akamai’s management of cybersecurity risks. Reporting to the Chief Executive Officer through the Company's Executive Vice President and General Manager of the Security Technology Group, the CSO leads Akamai’s Information Security Committee, which works cross-functionally with other Akamai departments, including legal, business, policy and technical functions, as appropriate, to exchange information related to cybersecurity. Our current CSO is an accomplished security professional with 15 years of experience in building and leading information security teams at both public and private companies. Akamai’s information security team is comprised of senior ranking staff who have experience in a broad range of security domains, including security operations, software security, risk management and auditing.
The CSO and Akamai’s information security team regularly communicate the nature and state of security risks to senior business leaders across the organization. In addition, the CSO meets on a regular basis with the Information Security Committee to provide cybersecurity program updates and to discuss potential risks and changes in the cyber threat landscape in which we operate. On a quarterly basis and as needed, the CSO reports to the Audit Committee to provide information on, as applicable and appropriate, cybersecurity risk management programs, risk mitigation, cybersecurity incidents and related disclosure obligations, if any, information on new or changing threats and other cybersecurity matters. The Audit Committee
22
Chair reports to our board at least quarterly on our cybersecurity risk management program, including risk mitigation, cybersecurity incidents and other relevant developments in our cyber threat landscape. In addition to formal reporting, the CSO takes part in informal meetings as needed and requested with Akamai's management, including the Chief Executive Officer and the board of directors.
The information security team, under the authority of the CSO, has developed a cybersecurity risk management program that addresses four primary operational pillars:
•researching, monitoring and identifying significant cybersecurity threats and risks across Akamai Connected Cloud and the larger internet ecosystem taking into account malicious actors, software vulnerabilities and other threat sources;
•assessing designated risks applicable to Akamai’s assets and systems, including those associated with third-party vendors and suppliers, and planning and tracking efforts to address significant risks;
•managing cybersecurity incidents and associated reporting and communications obligations; and
•ongoing compliance assessments through internal and external audits and assessments, certifications and the penetration and vulnerability testing of certain systems.
These operational pillars and the programs established from them are informed by cybersecurity industry standards.
Our programs are designed to identify and categorize cybersecurity threats and risks through different sources. We conduct assessments of threat models to determine which risks are most likely to impact us. Akamai’s information security team gathers threat and risk data and updates through various sources, such as systems reviews, security research activities, product development processes, diligence efforts in acquisitions and internal and external security scans and alerts, as appropriate. As applicable, in certain circumstances, we also collaborate with industry partners in the security community, our peers and law enforcement agencies, to support our cybersecurity threat intelligence capabilities. This information is collected, categorized and assessed to identify, prioritize and manage significant cybersecurity risks. As a result, our process is continually evaluated and evolves as the threat landscape changes.
In addition to ongoing risk management procedures, we have implemented a cybersecurity incident procedure designed to identify and address security incidents through various channels. As part of this process, cybersecurity incidents are evaluated, as appropriate, by a cross-functional team to assess the impact of the incident or threat to Akamai from a financial, reputational and operational perspective, and to determine notification obligations to customers and regulators and disclosure obligations to investors, as applicable. The results of such evaluation are discussed with the board of directors as appropriate. On a regular basis, our cybersecurity professionals conduct internal assessments of this process. Additionally, we have implemented an incident response plan that is reviewed by the Audit Committee and the board of directors from time to time.
We also incorporate security practices into employee training. We have a process for employees to formally acknowledge their review and understanding of security obligations, and the information security and legal teams conduct periodic security and data protection training aimed to emphasize the importance of security and data protection. In addition, we have implemented a review process to assess the security profile and data protection practices of certain third-party service providers that have exposure to Akamai’s systems, including, as appropriate, review of vendor security policies and procedures and contractually required security commitments.
Although risks from cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats to and breaches of our and our third-party vendors’ data and systems. For more information, see "Risk Factors" included elsewhere in this annual report on Form 10-K.