Datadog, Inc. - (DDOG)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
39
Risk Management and Strategy
We utilize various processes and tools to assess, identify, and manage risks from cybersecurity threats. In the development of our products and features, our security teams work with our engineering and product teams to identify, assess, and agree upon mitigation or remediation measures with respect to product development. On an ongoing basis, we encourage an environment of openness in which our engineering and product teams, led by our security teams, proactively identify, manage and discuss actual or perceived cybersecurity risks. These teams also use automated and manual processes to identify and track risks from cybersecurity threats. The identified risks are triaged, prioritized for remediation, and reported by the security teams to various levels of our senior management, as appropriate. We also deploy technical safeguards that are designed to protect our platform and systems from cybersecurity threats, including firewalls, intrusion prevention, and detection systems. We have established an incident response plan that addresses our response to cybersecurity incidents, and we require periodic training for our employees on cybersecurity threats. In addition, we maintain cybersecurity insurance, however, the costs related to cybersecurity threats or disruptions may not be fully insured.
In addition, we maintain third-party vendor management standards that are used to evaluate cybersecurity risks associated with our third-party service providers, and we assess information technology and software vendors to determine their security posture and maturity. All vendors that process our data or access our systems go through a security and privacy review before they are engaged that is targeted to the services to be provided and the systems and data involved. Based on the information provided by the vendor and depending on the nature of the services provided, our vendor management process may involve security questionnaires and contractual obligations such as audit rights and breach reporting.
We also periodically perform various types of security audits and assessments, including penetration tests, via internal and external parties. In addition, certain Datadog products are subject to specific compliance requirements and standards, including, as applicable, ISO 27001, SOC 2, PCI, and FedRAMP (Low and Moderate), and are tested and evaluated by third-party auditors against those applicable compliance requirements and standards. The identified risks from such audits and assessments are triaged, prioritized, reported by our security teams to various levels of our senior management and tracked and remediated depending on the severity.
Our internal audit function conducts annual interviews across business groups to identify key areas of risk, including cybersecurity risk. This enterprise risk assessment helps inform the internal audit plan, and both the assessment and progress against the internal audit plan are periodically presented to the Audit Committee. Our Chief Information Security Officer also reports separately to our Audit Committee on cyber and information security risk on a quarterly basis.
We have previously and may in the future become the target of cyber-attacks by third parties seeking unauthorized access to our or our customers’ data or to disrupt our ability to provide our services. As a result, we have expended and plan to continue to expend significant resources in an effort to protect against security incidents and to mitigate, detect, and remediate actual and potential vulnerabilities. Notwithstanding the measures and processes we take to manage cybersecurity risk, there is no guarantee that these measures and processes will be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For a description of the risks from cybersecurity threats that may materially affect the Company and how those risks may affect the Company, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including without limitation “Strategic and Operational Risks—If we or our third-party service providers experience, or are unable to protect against cyber-attacks, ransomware, security incidents, or security breaches, or if unauthorized parties otherwise obtain access to or otherwise compromise our customers’ data, our data, or our platform and information technology systems, then our solution may be perceived as not being secure, our reputation may be harmed, demand for our platform and products may be reduced, and we may incur significant liabilities or additional expenses.”
Governance
Our Board of Directors has delegated its oversight of risks associated with cybersecurity to its Audit Committee. Generally, each quarter, the Audit Committee reviews and discusses with our Chief Information Security Officer material cybersecurity risks and our processes for assessing, identifying, and managing such risks, and the Audit Committee will receive updates as necessary between each quarterly meeting. In the event of a material cybersecurity incident, the Audit Committee will be notified, and the Board of Directors will also receive updates on cybersecurity risks and incidents, as appropriate.
Our Chief Information Security Officer and Chief Technology Officer are the members of our executive team who are principally responsible for overseeing our cybersecurity risk management program. Our Chief Information Security Officer and Chief Technology Officer are informed about cybersecurity threats through their involvement with the processes set forth above. For example, our Chief Information Security Officer receives regular reports on identified cybersecurity risks and
40
progress toward remediation from our security teams and both our Chief Information Security Officer and Chief Technology Officer are notified of cybersecurity incidents and the management of such incidents in accordance with the escalation procedures of our incident response plan.
We believe these members of our executive team have the appropriate expertise, background, and experience to manage risks arising from cybersecurity threats. Alexis Lê-Quôc is one of the co-founders of our company and has served as our Chief Technology Officer and a member of our board of directors since June 2010. Mr. Lê-Quôc has extensive knowledge and experience from building and leading the development of our technology and from his decades of experience in the technology industry. Prior to co-founding Datadog, Mr. Lê-Quôc worked at Wireless Generation from March 2004 to December 2010, where he most recently served as Director of Live Operations. Previously, Mr. Lê-Quôc held engineering positions at a number of technology and software companies, including IBM Research and France Télécom S.A. Mr. Lê-Quôc received his M.S. in Computer Science from CentraleSupélec. Emilio Escobar has served as our Chief Information Security Officer since September 2020. With two decades of experience in information security and compliance, Mr. Escobar has worked at large enterprises, medium-sized companies, and governmental organizations. Previously, Mr. Escobar served as the Vice President of Information Security for Hulu, where he played a pivotal role in setting up key security functions. Prior to that, Mr. Escobar worked for PlayStation, where he built and ran the software security teams. Mr. Escobar holds a BS in Computer Science from the University of Puerto Rico.