PROCORE TECHNOLOGIES, INC. - (PCOR)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity.
Risk management and strategy
We have implemented and maintain information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical networks, third-party hosted services, communications systems, hardware, software, and data, including intellectual property and confidential, proprietary, or sensitive information, such as customer data (“Information Systems and Data”).
Our President, Product and Technology (“President of P&T”), Chief Data Officer (“CDO”), Chief Security Officer (“CSO”), and others in our cybersecurity and audit functions, help identify, assess, and manage cybersecurity threats and risks that may impact us or our business and operations. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods, including using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, conducting scans of the threat environment, evaluating threats reported to us, coordinating with law enforcement, conducting audits and threat and vulnerability assessments, using external intelligence feeds, conducting table top exercises, and operating a bug bounty program.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including appropriate measures suggested by security standards, an incident response plan, incident detection and response, vulnerability management process, disaster recovery/business continuity plans, risk assessments, data encryption, network security controls, access controls, physical security, vendor risk management program, employee training, penetration tests, cybersecurity insurance, and dedicated cybersecurity staff.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall enterprise risk management processes and consider principles from recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization, and other applicable industry standards. In general, we seek to address cybersecurity risks through a cross-functional approach that is designed to preserve the confidentiality, security, and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity incidents when they occur.
From time to time, we use third-party providers to assist us with identifying, assessing, and managing material risks from cybersecurity threats, including professional services firms, threat intelligence service providers, cybersecurity consultants, penetration testing firms, and forensic investigators.
We use third-party providers for various aspects of our business, such as data-hosting companies. We have a third-party risk management program to manage cybersecurity risks associated with our use of these providers, which includes vendor risk assessments, questionnaires, review of the vendor’s security program, and contractual obligations for vendors, depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider.
For a description of the risks from cybersecurity threats that may materially affect us, see our risk factors under the heading “Risk Factors” in Part I of this Annual Report on Form 10-K, including the risk factor titled “If our IT systems or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including, but not limited to, regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, reputational harm, loss of revenue or profits, loss of customers or sales, and other adverse consequences, any of which could materially adversely affect our business, financial condition, results of operations, and prospects.”
44
Governance
Our Board oversees our enterprise risk management program, including the management of risks arising from cybersecurity threats. The audit committee of our Board (the “Audit Committee”) is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. A cross-functional cybersecurity committee (the “Cybersecurity Committee”), which is comprised of members of our management team, reports to the Audit Committee.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of our management team, including our President of P&T, CDO, and CSO. Our President of P&T has over 25 years of experience in senior executive roles that involved ownership of, and accountability for, cybersecurity matters, including Chief Information Officer, Chief Technology Officer, and Senior Vice President / General Manager. Our CDO has over 15 years of experience in IT and previously served as the Chief Information and Digital Experience Officer for a home automation company. Prior to that, she held various leadership roles at a computer software company. Our CSO has over 30 years of experience in computer science and engineering disciplines, and served as the Chief Information Security Officer at various companies prior to joining Procore.
Members of our management team, including our President of P&T, CDO, and CSO, are responsible for hiring appropriate personnel, approving budgets, helping to integrate cybersecurity considerations into our risk management strategy, communicating key priorities, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security-related reports. We provide regular training for personnel regarding cybersecurity threats, which are intended to equip them with tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes, and practices.
Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including to our President of P&T, CDO, and CSO. Our President of P&T, CDO, and CSO work with our incident response team to help us mitigate and remediate cybersecurity incidents, as applicable. Our incident response and vulnerability management processes include reporting to the Audit Committee and the Cybersecurity Committee, as appropriate.
The Audit Committee receives periodic reports from management concerning our significant cybersecurity threats and risks and the processes we have implemented to address them. The Cybersecurity Committee receives periodic reports from members of our cybersecurity team regarding such threats, risks, and processes. The Audit Committee and the Cybersecurity Committee also receive various reports, summaries, and presentations related to cybersecurity threats, risk, and mitigation.