RingCentral, Inc. - (RNG)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We have an enterprise-wide information security program designed to protect, identify, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats. Furthermore, to protect our information systems and data from cybersecurity threats, we use various security tools that help prevent, identify, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools, and a bug bounty program to allow security researchers to assist us in identifying vulnerabilities in our products before they are exploited by malicious threat actors. We also maintain a third party risk management program to identify, prioritize, assess, mitigate and remediate third party risks; however, we rely on the third parties we use to implement security programs commensurate with their risks, and we cannot ensure in all circumstances that their efforts will be successful.
We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. This process is owned by the Chief Information Security Officer (“CISO”) and is supported by both management and our board of directors.
The CISO reports to the Chief Information Officer (“CIO”) and is responsible for management of cybersecurity risk and the protection and defense of our networks, systems and data. The CISO manages a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. Our CISO has served in various information technology and security leadership roles for over 20 years, including serving as the Chief Information Security Officer at 8x8 Communications and Lam Research Corporation. He holds a B.S. degree in Information Technology from the University of the Pacific and an M.B.A. from the University of Southern California.
Our board of directors oversees our enterprise risk management activities in general, and receives regular updates on the company’s risk management process and the risk trends related to cybersecurity. The audit committee specifically assists the board of directors in its oversight of risks related to cybersecurity. To help ensure effective oversight, the audit committee receives regular reports on information security and cybersecurity from the CISO.
We have an established process and playbook led by our CISO governing our assessment, containment, mitigation, response and internal and external disclosures upon the occurrence of a cybersecurity incident. Depending on the nature and severity of an incident, this process provides for escalating notification to our CEO and the board of directors (including our lead independent director and the audit and committee chair).
54


Our approach to cybersecurity risk management includes the following key elements:
Multi-Layered Defense and Continuous Monitoring - We work to protect our computing environments and products from cybersecurity threats through multi-layered defenses and apply lessons learned from our defense and monitoring efforts to help prevent future attacks. We utilize data analytics to detect anomalies and search for cyber threats. Our Cybersecurity Operations Center provides comprehensive cyber threat detection and response capabilities and maintains a 24 hour, seven day per week monitoring system which complements the technology, processes, and threat detection techniques we use to monitor, manage, and mitigate cybersecurity threats. From time to time, we engage third party consultants or other advisors to assist in assessing, identifying and/or managing cybersecurity threats. We also periodically use our internal audit function to conduct additional reviews and assessments.
Insider Threats - We maintain an insider threat program designed to identify, assess, and address potential risks from within our company. Our program evaluates potential risks consistent with industry practices, customer requirements and applicable law, including privacy and other considerations.
Information Sharing and Collaboration - We work with government and local law enforcement, customers, industry and/or supplier partners to gather and develop best practices and share information to address cyber threats. These relationships enable the rapid sharing of threat and vulnerability mitigation information.
Third Party Risk Assessments - We conduct information security assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties, and our standard terms and conditions contain contractual provisions requiring certain security protections.
Training and Awareness - We provide on at least an annual basis awareness training to our employees to help identify, avoid and mitigate cybersecurity threats. Our employees with network access participate quarterly in required training, including spear phishing, social engineering and other awareness training. We also periodically host tabletop exercises with management and other employees to practice rapid cyber incident response.
Supplier Engagement - We require our suppliers to comply with our standard information security terms and conditions, in addition to any requirements from our customers, as a condition of doing business with us, and require them to complete information security questionnaires to review and assess any potential cyber-related risks depending on the nature of the services being provided.
Although the "Risk Factors" section includes further detail about the material cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date.
We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see “Risk Factors.”