TWILIO INC - (TWLO)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Our board of directors recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. Our board of directors is actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”).
Risk Management and Strategy
We have policies, standards, processes and practices for assessing, identifying, and managing material risk from cybersecurity threats that are integrated into our ERM systems and processes. Our cross-functional approach to cybersecurity risk management is focused on preserving the confidentiality, integrity, and availability of our information systems by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. As part of this approach, we have implemented controls and procedures that provide for the prompt escalation of certain cybersecurity incidents to enable timely decisions by management regarding the public disclosure and reporting of such incidents.
Our cybersecurity program is focused on the following key areas:
•Governance. As discussed in more detail under the heading “Governance” below, our board of directors’ oversight of cybersecurity risk is supported by our audit committee, which regularly interacts with our ERM function, our Chief Digital Officer (“CDO”), our Chief Information Security Officer (“CISO”), other members of management, and relevant committees and working groups, including management’s Enterprise Risk Committee (“ERC”), Cyber Incident Task Force (“CITF”), and Security Incident Response Team (“SIRT”), in its oversight of cybersecurity-related risk.
•Risk Assessment. We devote significant resources and designate high-level personnel, including our ERC, which includes our Chief Legal Officer (“CLO”), our CDO, our CISO, our Vice President of Internal Audit, and our Vice President of Ethics, Compliance and Risk Management, to manage the cybersecurity risk assessment and mitigation process. We conduct
46
security assessments both internally and with the assistance of third parties to identify cybersecurity threats periodically and to identify any potentially material changes in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These security assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential impact of such risks, and the sufficiency and effectiveness of existing policies, procedures, systems, and controls to manage such risks. Risk themes identified during our risk assessments guide annual cybersecurity planning activities and investments to improve security coverage, technology capabilities and processes.
•Technical Safeguards. We deploy, maintain, and regularly monitor the effectiveness of technical safeguards that are designed to protect our information systems from cybersecurity threats. We align our security program to recognized frameworks and industry standards. We make investments in core security capabilities, including awareness and training, identity and access, incident response, product security, cloud security, enterprise security, risk management, and supply chain risk, in order to enable us to better identify, protect, detect, respond to, and recover from evolving security threats. Our technical safeguards include firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through internal and external security assessments and cybersecurity threat intelligence. We regularly assess our safeguards through internal testing by our assurance teams. We also leverage external third-party testing (e.g., penetration testing, attack surface mapping, and security maturity assessments) and seek third-party certifications (e.g., SOC2, ISO, and PCI DSS). Following our risk assessments, we evaluate whether and/or how to re-design and/or enhance our safeguards to reasonably address any identified risks or gaps.
•Incident Response and Recovery Planning. We have established comprehensive incident response and recovery plans that address the full lifecycle of our response to a cybersecurity incident. These plans are periodically tested and evaluated.
•Third-Party Risk Management. We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. We perform due diligence on vendors, service providers and other third-party users of our systems at initial onboarding and periodically thereafter. We require that third-party service providers have the ability to implement and maintain reasonable and appropriate security measures, consistent with applicable laws, in connection with their work with us, and to promptly report any actual or suspected breach of their security measures that may affect our company.
•Security Awareness and Training. Our security awareness program requires that employees and certain contractors complete comprehensive security training upon joining the company and annually thereafter. The training covers critical security topics to ensure our workforce stays informed about top-of-mind security areas, such as phishing. The training helps ensure that our personnel have the knowledge and skills required to protect our digital assets and critical data. In addition, we conduct awareness campaigns on cybersecurity threats as a means to equip our personnel with effective tools to address such threats and to communicate our evolving information security policies, standards, processes and practices.
We engage in the periodic assessment and testing of our cybersecurity policies, standards, processes and practices, including through audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. To assist with such assessment and testing, we engage assessors, consultants, auditors, and other third parties to perform assessments on our cybersecurity measures, including for third-party testing and certifications (as described above under “Technical Safeguards”), information security maturity assessments, customer audits, and independent reviews of our information security control environment and operating effectiveness. The material results of such assessments, audits and reviews are reported to our audit committee, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided.
To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our company, including our business strategy, results of operations, or financial condition. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, are reasonably likely to materially affect our company in the future, including our business strategy, results of operations, or financial condition, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.
Governance
Our board of directors, in coordination with our audit committee, oversees our ERM process, including the management of cybersecurity risks, and is responsible for monitoring and assessing strategic risk exposure. Our management team and its committees, including our ERC, our CITF, our SIRT, and our core information security operational teams, in partnership with our engineering teams, are responsible for the day-to-day management and mitigation of the material cybersecurity risks we face.
47
Our board of directors administers its cybersecurity risk oversight function through our audit committee. Our audit committee receives regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties, and risks relating to cybersecurity incidents. Our board of directors receives quarterly updates from our audit committee on ERM and cybersecurity risks.
Our ERC, comprised of our CLO, our CDO, our CISO, our Vice President of Internal Audit, and our Vice President of Ethics, Compliance and Risk Management, among others, oversees our ERM activities, including cybersecurity-related risks. Our CDO and our CISO (who reports to our CDO) are primarily responsible for the assessment and management of our material risks from cybersecurity threats, working collaboratively and cross-functionally to design and implement our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above, and for responding to any cybersecurity incidents. In addition, our CITF (which includes our CDO, our CISO, our CLO, and our Chief Financial Officer (“CFO”)) is primarily responsible for evaluating cybersecurity incidents, gathering and assessing facts relevant to applicable regulatory reporting and disclosure obligations, making recommendations to our Chief Executive Officer and CFO regarding such disclosure, and advising our board of directors and audit committee on the effectiveness of policies and procedures related to the disclosure of cybersecurity incidents.
To facilitate our cybersecurity risk management program, multidisciplinary teams throughout our company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, our CDO, our CISO, and the SIRT monitor the detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the CITF when appropriate.
Our CDO has over 25 years of experience at technology companies and has been in the security space for over 18 years, including serving as chief security officer at a public company and leading security engineering at another public company. Our CDO also serves on the board of directors of a publicly traded cybersecurity company. Our CDO holds an undergraduate degree in electronics engineering and a graduate degree in business administration and management. Our CISO has over 18 years of experience managing cybersecurity risks in the technology industry, including serving as the acting chief security officer at a public company and holding other senior cybersecurity leadership and operational roles at other companies. Our CISO holds an undergraduate degree in computer engineering and graduate degrees in electrical engineering and business administration. Our CFO, CLO, VP of Internal Audit, and VP of Ethics, Compliance and Risk Management each hold undergraduate and/or graduate degrees in their respective fields, and have over 10 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.