QUALYS, INC. - (QLYS)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have established an Information Security Management System (“ISMS”) comprised of policies, procedures, and processes for assessing, identifying, and managing material risks from cybersecurity threats, and have integrated these processes into our overall enterprise risk management systems and processes. Our ISMS is aligned to generally accepted security standards and is certified by third-party auditors according to ISO/IEC 27001 standards. We routinely assess cybersecurity risks for materiality, including assessing any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
We routinely conduct risk assessments to identify cybersecurity threats and weaknesses, as well as risk assessments of events that could potentially materially change our business practices and affect our information systems that could be impacted by cybersecurity threats and vulnerabilities. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our Chief Information Security Officer (“CISO”) who reports to our Chief Executive Officer, to manage the risk assessment and mitigation process.
As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with human resources, IT, and management. Personnel at all levels and departments are made aware of our cybersecurity policies through periodic trainings.
We have established a Computer Security Incident Response Team (“CSIRT”) that identifies security incidents, characterizes the nature and severity of incidents, and provides diagnostic and corrective actions when appropriate. The security measures the CSIRT employs are consistent with relevant requirements of the National Institute of Standards and Technology (“NIST”), Federal Risk and Authorization Management Program (“FedRAMP”), International Organization for Standardization (“ISO”), and Federal Information Security Management Act (“FISMA”). We have also adopted certain guidelines from NIST and the United States Computer Emergency Readiness Team.
37

Table of Contents
Our Incident Response Program and Plan describes the major phases of an incident management lifecycle which includes the preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. Qualys' 24x7 Security Operations Center (“QSOC”) and CSIRT conduct Incident Response Plan testing and training on a periodic basis through tabletop exercises or simulated attack scenarios. This testing appraises our readiness to respond to such scenarios and tests the completeness and accuracy of the incident response plan. The QSOC and CSIRT teams drive these exercises to participants via various cyber security incident scenarios in the form of multiple injects. Exercise participants primarily consist of members from various Qualys departments such as security operations, IT operations, network operations, and other departments depending on the selected scenario.
We routinely evaluate the risks posed by third-party providers and engage with those whom fail to comply with our relevant contract requirements, or when we feel further action is needed to keep our risk levels within approved tolerance levels.
We engage assessors, consultants, auditors, and other third parties in order to obtain external validation for effectiveness and adequacy of our security posture in compliance with regulatory requirements. These service providers attest to our organization-wide design and implementation of cybersecurity policies and procedures, and annually monitor such policies and procedures from a safety perspective.
For additional information regarding whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factor entitled “Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales.” We have not currently encountered any cybersecurity threats that have materially impaired our operations or financial standing.
Governance
Our board of directors, with assistance from management, monitors and assesses strategic risk exposure, and our management team is responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit and Risk Committee of our board of directors (“Audit and Risk Committee”).
Our CISO and our Security Steering Committee, which includes members from management across all company functions such as security, IT, human resources, sales and marketing, engineering, legal, and finance, are primarily responsible for assessing and managing cybersecurity threats. Our CISO is a cybersecurity industry expert with over two decades of experience in cybersecurity, including work at multi-national technology companies and for a U.S. state government. He holds several industry certifications including CISSP, OSCP, CCSP, and GCFA and is also a graduate of the Carnegie Mellon University’s Chief Information Security Officer Executive Program. Our CEO is also a cybersecurity industry expert who has deep insight and over two decades of experience in cybersecurity, technology and information security.
Our CISO and our Security Steering Committee, along with other senior executives including the CEO and CTO, review and manage our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The processes by which our CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, include prompt communication from the CSIRT describing the severity and impact of the incident and status throughout the incident handling lifecycle and routine monitoring of key risk indicators.
Our CISO provides briefings to the Audit and Risk Committee along with our CEO and other members of our senior management team, both on a quarterly basis via the Qualys Security Steering Committee and as needed, regarding our cybersecurity risks and activities, including, if any, critical and high impact cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the emerging threat landscape. Our Audit and Risk Committee provides regular updates to the board of directors on such reports. In addition, our CISO and management team provide periodic briefings to the board of directors on cybersecurity risks and activities. Management is committed to notifying the Audit and Risk Committee, and the full Board in the event of a cyber incident that is confirmed to have a material effect on Qualys, or in the event that Qualys has identified a cyber risk that is likely to have a high probability of having a material impact on Qualys if not mitigated.
38

Table of Contents