AXON ENTERPRISE, INC. - (AXON)
10-K Filing Date: February 27, 2024
Our business is highly dependent on our information systems, including our ability to operate them effectively and to successfully implement new technologies, methods and processes, as well as adequate controls and cybersecurity incident recovery plans. We rely on our information systems to manage our business, data, communications, supply chain, ordering, pricing, billing, inventory replenishment, accounting functions and other processes. In addition, we must protect the confidentiality and integrity of the data of our business, employees, customers and other third parties. Our business involves the collection, processing, storage and transmission of personally identifiable information and other sensitive and confidential information. This data is wide ranging and relates to our employees, customers and third parties, including the subjects of law enforcement. Our compliance obligations include those prescribed under the laws and regulations that dictate whether, how and under what circumstances we can receive, process, hold and/or transfer certain data that is critical to our operations, including data shared between countries or regions in which we operate and data shared among our products and services.
As part of our company-wide culture of security, we maintain a formal cybersecurity and information security program that is aligned with the standards set forth by the International Organization for Standardization (“ISO”), the American Institute of Certified Public Accountants in Systems and Organization Controls 2, the Criminal Justice Information Services, the Federal Risk and Authorization Management Program and the National Institute of Standards and Technology. The Company’s Information Security Team maintains the program, which is designed to ensure proper monitoring, prevention, detection, mitigation and remediation of cybersecurity vulnerabilities, including the prompt investigation and management of all reported or discovered security events, including cybersecurity threats and incidents, in the ordinary course of the business of the Company.
Our cybersecurity and information security program is designed to comply with key global financial regulations and cybersecurity laws in the jurisdictions in which we operate. The program includes taking several proactive steps to prepare for attempts to compromise our information systems. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material cybersecurity risks, and protect against, detect and respond to cybersecurity threats and incidents, we undertake the below listed activities:
● | closely monitor emerging data protection laws and implement changes to our processes designed to comply; |
● | undertake regular reviews (at least annually) of our consumer facing and internal policies and statements related to cybersecurity; |
● | proactively inform our customers of substantive changes related to customer data handling; |
● | conduct annual information security training for all our employees; |
● | recruit and retain highly skilled cybersecurity professionals, and provide regular training and development opportunities for our cybersecurity and information security employees; |
● | conduct regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats; |
● | through policy, practice and contract (as applicable), require employees, as well as third parties who provide services on our behalf, to treat customer information and data with care; |
● | perform due diligence on third-party vendors and, based on our risk assessment, put in place contractual undertakings and oversight to manage and reduce the risks associated with third-party vendors; |
● | run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our technologies, methods and processes; |
● | conduct regular risk assessments of our information systems to identify weaknesses, and develop and implement mitigations to improve our cybersecurity and information security program; |
40
● | conduct regular security assessments, vulnerability scans, and penetration tests (including by third-party assessment firms) of products systems and internal systems to discover vulnerabilities and apply appropriate mitigations within standardized timelines; |
● | maintain, implement, evaluate and update our cybersecurity technologies to address threats and vulnerabilities; and |
● | carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident. |
Third Party Monitoring and External Reviews
Axon utilizes the assistance of third-party technology and providers to support our objective of protecting our information, information systems and network. Services provided by third parties to assess the performance of our cybersecurity risk management systems and procedures and to identify cybersecurity risks to the Company include assessing products and internal systems for vulnerabilities, incident response services such as computer forensics, internal and external audits for security certifications globally and overall security program maturity evaluations. Axon and our service providers have also developed systems and processes that are designed to protect our and our customers’ data, to prevent data loss, and to prevent or detect cybersecurity threats and incidents.
Material findings, notable weaknesses and suggestions are presented to the Enterprise Risk and Compliance Committee of the Company’s Board of Directors (the “ERC Committee”) as discussed below.
Cybersecurity Management Team
Our cybersecurity and information security program, which includes data privacy, is the responsibility of our Chief Information Security Officer (“CISO”), who oversees our global information security program. Our current CISO has served in various information technology and information security roles over the past 20 years, having built the Company’s information security program over the last 10 years, and serving as CISO since December 2017. We expect our current CISO to transition his responsibilities to our new CISO over the coming quarter. Our new CISO brings diverse perspectives and significant skills and experience leading security organizations across a number of technology companies.
Our CISO attends quarterly meetings of the Company’s Disclosure Committee and provides input on the Company’s disclosures in its Quarterly Reports on Form 10-Q and Annual Reports on Form 10-K, including the relevant risk factors set forth therein. The Company’s CISO, along with the Information Security Team, also leads our Security Incident Response Team, which is responsible for investigating suspected cybersecurity threats and incidents. In the event of a possibly material cybersecurity incident, the Information Security Team also includes the following executive team members: Corporate General Counsel, Chief Legal Officer, Chief Accounting Officer, Chief Financial Officer and, to the extent practicable or relevant, other senior executives.
41
Board of Directors Oversight
As a part of its oversight of the key risks facing the Company, our Board of Directors devotes significant time and attention to data and systems protection, including cybersecurity and information security risk. While the Audit Committee of the Company’s Board of Directors (the “Audit Committee”) reviews any significant legal, compliance or regulatory matters that may have a material impact on the Company’s business, financial statements or compliance policies generally, it does so in consultation with our ERC Committee with respect to any such matters that involve cybersecurity, data privacy or information technology. The Chair of our ERC Committee is also a member of our Audit Committee, which facilitates close coordination between the two committees on cybersecurity, data privacy and information technology matters.
Our ERC Committee oversees our overall approach to enterprise risk management, of which cybersecurity is an important component. The ERC Committee and its Chair, in coordination with the Information Security Team and CISO, regularly review the categories of risk the Company faces, including any cybersecurity risk exposures, as well as the likelihood of occurrence, the potential impact of those risks, and the steps management has taken to monitor, mitigate and control such exposures. To facilitate these reviews, the Information Security Team and CISO report at least quarterly to the ERC Committee with respect to cybersecurity risks, including those identified through review of our business, of rising threats in the industry, and of the current state of the Company’s cybersecurity and information security program. The ERC Committee makes regular reports to the full Board of Directors regarding updates on cybersecurity and other risks.
Incident Response and Assessment Policies and Procedures
Axon has implemented our cybersecurity and information security program and cybersecurity incident response plan to protect our and our customers’ data from, and mitigate the effects of, unintentional disclosure as well as cybersecurity threats and incidents of all severity levels. Our program and response plan outline actions to be taken after identifying a suspected cybersecurity threat or incident and the people responsible for managing those actions. We have also implemented disclosure controls and procedures for determining the materiality of a cybersecurity incident to outline disclosure and communications responsibilities during cybersecurity incidents of all severity levels.
In the event of a possibly material cyber incident, the Security Incident Response Team, under the direction of the Corporate General Counsel and/or the Chief Legal Officer, would collect and document information relevant to materiality and make a threshold determination as to whether such cybersecurity incident (including those occurring on the information systems of third parties) is potentially material. The Security Incident Response Team would meet with the Chair of the ERC Committee to review the preliminary findings of the Security Incident Response Team, including the possible factors in determining materiality. If the Security Incident Response Team and the Chair of the ERC Committee determine that the cybersecurity incident warrants further review after consideration of such findings and factors, the Audit Committee would be convened for a meeting (to which all members of the ERC Committee would be invited) to review the cybersecurity incident and the findings of the Security Incident Response Team and the Chair of the ERC Committee. The Audit Committee would then make a materiality determination consistent with SEC guidance and by considering relevant quantitative and qualitative factors, informed by any recommendations of the ERC Committee and/or its Chair.
Any materiality assessment that results in a determination that a cybersecurity incident is not material would be reported by the Information Security Team, or appropriate members of management, to the ERC Committee at its next scheduled meeting.
At this time, we have not identified any risks from known cybersecurity threats, including as a result of prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations or financial conditions. However, we face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. See “Risk Factors—If our security measures or those of our third-party cloud storage providers are breached and unauthorized access is obtained to customers’ data or our data, our network, data centers and products and services may be perceived as not being secure, customers may curtail or stop using our service and we may incur significant legal and financial exposure and liabilities” and “Risk Factors—Catastrophic events could materially adversely affect our business, results of operations and/or financial condition.”
42