Informatica Inc. - (INFA)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management.
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and as described further below, have integrated these processes into our overall risk management systems and processes. Our board of directors performs meaningful oversight of these cybersecurity risk management processes, and our management team is responsible for the day-to-day management of the material risks we face.
Management roles in cybersecurity risk management.
We have several committees and individual management positions responsible for assessing, identifying, and managing the material cybersecurity risks that we face.
Enterprise Risk Management Committee.
Our Enterprise Risk Management Committee performs a central function in the assessment and management of our important business risks overall. Our Enterprise Risk Management Committee is comprised of members of our executive leadership. The committee meets periodically to review risk-related topics, including updates on cybersecurity risks and incidents, cybersecurity policy changes, and certain cybersecurity investment recommendations. The diverse skills and experience relevant to cybersecurity risk management possessed by the senior management and executive positions on this committee contribute to our effective management of such risks. The Enterprise Risk Management Committee is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents through its Cybersecurity Steering Subcommittee and the Global Security Organization.
The Cybersecurity Steering Subcommittee oversees teams of subject matter experts and working groups assigned to focus on specific cybersecurity risk management issues, and receives periodic status updates from those teams.
The Enterprise Risk Management Committee provides reports to the audit committee of our board of directors on a quarterly basis to support its oversight of our cybersecurity risk management.
Chief Information Security Officer.
Our Chief Information Security Officer ("CISO") leads our Global Security Organization. Our CISO supports our compliance with standards and contractual obligations relevant to cybersecurity and good risk governance. Our CISO has over ten years of experience focused on cybersecurity. Our CISO has degrees in computer science and management information systems, each with an emphasis on information security, and has certificates from the Global Information Assurance Certification program as an Information Security Professional and for Strategic Planning, Policy and Leadership. Our CISO has held senior positions focused on the management and operation of our cybersecurity risk management processes for over five years.
In addition to its oversight, monitoring and other responsibilities, the Global Security Organization conducts an annual risk assessment process concerning our enterprise and product families. This process supports our prioritization, planning and execution of security program improvements. We also maintain a risk management process throughout the year designed to compile and manage risks through a variety of technical and administrative controls.
Third-party cybersecurity risk management.
Our cybersecurity processes are designed to identify and address cybersecurity risks associated with our use of third-party technologies and service providers.
Our processes call for the evaluation of third parties for security and compliance risks before onboarding them for potential use within our own systems and services. For applicable vendors, we require audit reports and regular responses to our detailed security questionnaires particularly for vendors associated with critical assets. In addition, our procurement processes call for specific contractual obligations from relevant vendors regarding their maintenance of appropriate cybersecurity controls and relevant certifications. Our internal Software Development
- 60 -

Lifecycle is designed to build our products in part relying upon industry-standard practices and third-party tools and services to test our code and bundled third-party libraries for known security misconfigurations and errors.
Our people are a crucial pillar of our cybersecurity.
We operate processes to maintain an internal culture that expressly values cybersecurity. This includes broad-based processes for cybersecurity training, internal communications, reporting concerns, and escalations. Our security awareness and skills training processes guide behaviors across our workforce to be security conscious.
Consultants provide valuable services within our cybersecurity risk management.
Our cybersecurity risk management processes and technical safeguards are supported by consultants and other service providers including for security assessments of our suppliers, independent risk assessments and forensic analyses. We have also retained third-party providers to monitor and assess our cybersecurity posture by a variety of security indicators, cybersecurity threat intelligence signals and other sources and methods.
Incident response processes are an integral part of our cybersecurity posture.
If indications are reported of an actual or threatened incident affecting our information systems or networks, or affecting a third party provider relevant to our security, we commence our incident response processes led by the Global Security Organization. This comprehensive incident response process is designed to address possible and confirmed cybersecurity incidents and enable escalations and notifications to appropriate management and members of the audit committee.
After an incident has been contained our processes shift emphasis to the continuity of business operations, and if necessary, restoration of services and the recovery of any affected business systems and data.
Board oversight of cybersecurity risk management.
On a quarterly basis either the audit committee or the full board of directors receive information regarding our cybersecurity risk management from our Global Security Organization and from a representative of our Chief Product Officer’s organization. The chair of the audit committee also updates the full board of directors on specific topics that are presented or discussed at the regular meeting of the audit committee.
The audit committee also receives an annual review from the CISO regarding our cybersecurity strategies, including how changes in the threat landscape and changes to our risk posture and business and compliance requirements may affect our risk management strategies.

As a result of the significance of the cybersecurity threats to our business, we expend material efforts on our cybersecurity risk management processes, although we have not identified any specific threat or incident that has materially affected or is reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. For additional information regarding our risks from cybersecurity threats, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factors entitled: “A security breach or incident may compromise the integrity of our products, create service outages for our hosted products, or allow unauthorized access to our network or our customers’ data, harm our reputation, create additional liability and adversely impact our financial results.”