Fastly, Inc. - (FSLY)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk management and strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, trade secrets, personal information, and data of our customers (including their end-users) (“Information Systems and Data”).
Our Chief Information Security Officer (“CISO”) and security organization help identify, assess, and manage the Company’s cybersecurity threats and risks, including through the use of the Company’s security risk register. The CISO and security organization identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s risk profile using various methods including, for example: (1) identifying vulnerabilities through automated scans, vulnerability assessments, and subscriptions to threat intelligence feeds and notices; (2) assessing security weaknesses identified through internal security reviews, external penetration tests, and reports on our products and services; and (3) assessing the Company’s threat landscape given the industry’s risk profile, the results of our enterprise risk assessment, and information technology, privacy, and security audits.
Depending on the environment, system, and data, we implement and maintain various technical, physical, and organizational measures, processes, standards, and/or policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an incident response plan; incident detection and response; vulnerability management policy; disaster recovery plans; risk assessments; implementation of security standards and certifications; encryption of data; network security protocols; data segregation; access controls; physical security; asset management, tracking and disposal; systems monitoring, vendor risk management program; employee training; penetration testing; cybersecurity insurance; and a dedicated CISO and security organization.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, (1) the security organization is engaged in all major changes to the Company’s environment or products to conduct a risk assessment and identify potential cybersecurity risk; (2) cybersecurity risk is a component of the Company’s enterprise risk management program and managed within the Company’s risk register; (3) the security organization works with senior leadership across the Company to prioritize our risk management processes and mitigate cybersecurity threats that are most likely to lead to a material impact to our business; and (4) our senior management evaluates material risks from cybersecurity threats against our overall business objectives and reports the results to the board of directors, which evaluates our overall enterprise risk.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example: professional services firms, including legal counsel; cybersecurity software providers; managed cybersecurity service providers; penetration testing firms; and forensic investigators.
We use third-party service providers to perform a variety of functions throughout our business, such as providing cloud-based infrastructure, hosting third party applications, and delivering content to customers, as well as data center hosting. We have a formal vendor management program to manage cybersecurity risks associated with our use of these providers. The security organization conducts a risk assessment to determine the criticality of the vendor prior to onboarding. Depending on the criticality of the vendor–which is based on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider–our vendor security review process involves different levels of assessment designed to identify cybersecurity risks associated with a provider prior to onboarding and on a periodic basis, including, for example: (1) a vendor security questionnaire; (2) results of audit reports and certifications; and (3) policies and standards detailing the third-party’s security program. Based on the results of the vendor security review, a decision is made on whether the third-party can be engaged. We review our most critical providers' audit reports and certifications on an annual basis to reassess whether or not they have experienced any material changes or degradations to their security programs since our initial
62
review that may warrant re-evaluation. The Company generally engages reputable third-party service providers and when appropriate, imposes contractual obligations related to cybersecurity on its providers.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “If our information technology systems or data, or those of third parties upon which we rely, are compromised now, or in the future, or the security, confidentiality, integrity or availability of our information technology, software, services, networks, communications or data is compromised, limited or fails, our business could experience materially adverse consequences, including but not limited to regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, loss of revenue or profits, loss of customers or sales, reputational harm, and other adverse consequences.”
Governance
Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors is responsible for overseeing Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our CISO, Mr. Marshall Erwin. Our CISO has experience in the technology and government industries, including through his previous roles as CISO for a major Internet company and an analyst in the US intelligence community. He also served as the cybersecurity and counterterrorism advisor on the Senate Homeland Security and Government Affairs Committee and as the intelligence specialist at the Congressional Research Service.
Our CISO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CISO is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our incident response plan is designed to escalate certain cybersecurity incidents, including breaches, to members of management depending on the circumstances, including our CISO, general counsel, and other members of leadership when appropriate. The security incident and response team works with relevant subject matter experts across the organization when necessary to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response plan includes reporting to the board of directors for cybersecurity incidents the Company's disclosure committee determines are material. The disclosure committee, which includes members of management such as our Chief Financial Officer and general counsel, meets quarterly. The CISO acts in an advisory capacity to the Company's disclosure committee on an as-needed basis.
Our board of directors receives periodic reports at least annually from our CISO concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them. Our board of directors also receives various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.