BLACKLINE, INC. - (BL)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Cybersecurity is a key component of BlackLine’s overall cross-functional approach to risk management. Our cybersecurity risk management practices are integrated into our overall risk management practices, and cybersecurity risks are among the core enterprise risks identified for oversight by our Board through our annual enterprise risk assessment. Our cybersecurity policies and practices are designed with the cybersecurity framework of the National Institute of Standards and Technology and certain other applicable industry standards in mind, and
35
BlackLine maintains an information security management system, which is certified against certain international standards, such as ISO 27001 and ISO 27017.
Our cybersecurity program includes:
•Vigilance: We maintain a global cybersecurity threat operation that endeavors to detect, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing disruptions to the business.
•Collaboration: We have established collaboration mechanisms with public and private entities, including intelligence and enforcement agencies, industry groups, and third-party service providers to identify and assess cybersecurity risks.
•Systems Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion detection systems, anti-malware functionality, access controls, and ongoing vulnerability assessments.
•Third-Party Management: We maintain a risk-based approach to identifying and overseeing cybersecurity risks with respect to third parties, including third parties who provide solutions we rely upon for our security measures. This includes contractually obligating third-party service providers with access to our systems or processing sensitive data on our behalf to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected security breach that may affect BlackLine.
•Education: Employees outside of our corporate information security organization also have a role in our cybersecurity defenses, which we believe improves our cybersecurity. We provide training upon onboarding, and annually thereafter, for all personnel regarding cybersecurity threats, with additional role-based security training as applicable. We also provide periodic cybersecurity newsletters and updates to all employees, and have a phishing awareness program that includes monthly simulations, and we periodically host tabletop exercises with management and other employees to practice rapid cyber incident response.
•Incident Response Planning: We have established and maintain an incident response plan that addresses our response to suspected cybersecurity incidents and is tested periodically.
•Communication and Coordination: We utilize a cross-functional approach to addressing the risk from cybersecurity threats, involving management personnel from the information security, technology, operations, legal, risk management, internal audit, and other key business functions, as well as members of our Board and the Audit Committee of the Board (the “Audit Committee”) and Technology and Cybersecurity Committee of the Board (the “Technology and Cybersecurity Committee”) regarding cybersecurity threats and incidents.
•Governance: The Board’s oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with our risk management function and Chief Information Security Officer (“CISO”). In February 2024, the Board formed a standing Technology and Cybersecurity Committee, which is comprised of independent members of the Board and assists the Board in fulfilling its oversight responsibilities with respect to risks relating to our information security, data privacy and disaster recovery capabilities.
A key part of our strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of our processes and practices through auditing, assessments, tabletop exercises, and other exercises focused on evaluating effectiveness. We periodically engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness. The results of such assessments and reviews are reported to the Board, the Audit Committee, and the newly formed Technology and Cybersecurity Committee, and we make adjustments to our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews.
The Audit Committee and the Technology and Cybersecurity Committee are responsible for oversight relating to cybersecurity. The Board and the Audit Committee regularly receive (and the newly formed Technology and Cybersecurity Committee will receive) presentations and reports on cybersecurity risks from the CISO, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and cybersecurity considerations arising with respect to our peers and vendors. Our incident response process includes escalation of potentially material cybersecurity incidents to relevant members of our executive management team. The Board, the Audit Committee, and the newly formed Technology and Cybersecurity Committee, are updated as appropriate.
36
Periodically, the Audit Committee discusses our approach to cybersecurity risk management with our CISO. Our Technology and Cybersecurity Committee will receive regular reports from our CISO as part of its assessment of our cybersecurity threat landscape, and the quality and effectiveness of our information security programs.
Our CISO is the member of our management who is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across BlackLine. She has over 15 years of experience as a chief information security officer responsible for enterprise-wide oversight of information security programs. She holds CISSP and CISM certifications, and a BS in Computer Science. She leads a team of information security professionals, and works in coordination with the Chief Information Officer, the Chief Legal and Administrative Officer, the Senior Vice President, Cloud Engineering and Operations, and other members of management.
The CISO, in coordination with the other members of the executive management team, works collaboratively across BlackLine to implement programs designed to protect our information systems from cybersecurity threats and to promptly respond to cybersecurity incidents. To facilitate the success of such programs, we designate certain employees as security champions throughout BlackLine to respond to cybersecurity incidents in accordance with our incident response plan. Through communications with these employees, the CISO monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, and reports such incidents to the Board, the Audit Committee, and the Technology and Cybersecurity Committee, when appropriate, as discussed above.
As of the date of this report, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected BlackLine, including its business strategy, results of operations or financial condition. Notwithstanding our investment in cybersecurity, however, we may not be successful in identifying a cybersecurity risk or preventing or mitigating a cybersecurity incident or product security vulnerability that could have a material adverse effect on our business, results of operations, or financial condition.
We are at risk for cybersecurity breaches and incidents, including as a result of third-party action, employee, vendor or contractor error, cyberattacks (including from nation states and affiliated actors) and other forms of hacking, malfeasance, ransomware, and other malicious software, or other factors. If our security controls are breached or circumvented, or unauthorized or inadvertent access to, modification to, or processing of customer, employee, or other confidential data otherwise occurs, our software solutions may be perceived as insecure, or may become unavailable or inaccessible to our end users. As a result, we may lose existing customers or fail to attract new customers, our business may be harmed, and we may incur significant liabilities. These and other risks could affect BlackLine, including our business strategy, results of operations, or financial condition. For more detailed information about these and other cybersecurity risks, please see Part I, Item 1A, “Risk Factors”, including the risk factor entitled “If our security controls are breached or unauthorized, or inadvertent access to customer, employee or other confidential data is otherwise obtained, our software solutions may be perceived as insecure, we may lose existing customers or fail to attract new customers, our business may be harmed and we may incur significant liabilities.”