Five9, Inc. - (FIVN)

10-K Filing Date: February 22, 2024
ITEM 1C. Cybersecurity
Information Security Management Strategy
We have developed, implemented and maintain a formal “risk based" Information Security Management System, or ISMS, that is designed to protect the confidentiality, integrity, and availability of the information contained within our systems. ISMS complies with a number of internationally recognized standards for information security, including the ISO 27001:2013 Standard for Information Security, AICPA System and Organization Controls (SOC) for the criteria of Security and Availability; the Payment Card Industry Data Security Standard 3.2.1, or PCI DSS 3.2.1, the global standard for the payment card industry. In accordance with these international standards, and included in the ISMS, is our cybersecurity incident response process and plan.
In the event of a potential cybersecurity incident, our Chief Information Security Officer, or CISO, is notified of the incident and assembles an Incident Response Team, which is comprised of individuals who have the necessary technical, operational, and regulatory knowledge to assist the CISO. Typically, senior members of our engineering, operations, security, compliance/data protection office, and legal functions comprise the Incident Response Team. The Incident Response Team will conduct an assessment to determine the nature and scope of the incident and manages the incident in accordance with our incident response procedures until the incident is contained and resolved. The Incident Response Team will document findings and make them available to the Incident Classification Team, which is comprised of our CISO, Executive Vice President of Production Engineering, Chief Information Officer, Chief Legal & Compliance Officer, or CLO, Chief Operating Officer, Chief Financial Officer, and their respective delegates. The Incident Classification Team is responsible for assessing the incident and
48

notifying members of our management and our Board. Our Chief Executive Officer, CLO and CISO, in conjunction with third party experts, including outside legal counsel and our internal disclosure committee, are responsible for coordinating external communications and disclosures, including with the Securities and Exchange Commission.
Our ISMS has a risk based formulation. The cybersecurity risk process within the ISMS is an integral component of our enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Cybersecurity incidents and their associated risks are integrated into the enterprise risk management program, where appropriate mitigating strategies are determined and acted upon to mitigate cyber security risks.
Our ISMS and cybersecurity risk management program includes:
risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
a security team principally responsible for (1) recommending and implementing appropriate technologies to mitigate the cyber security risks; (2) monitoring internal systems and taking appropriate action in the event of alerts; (3) monitoring the threat landscape; and (4) our response to cybersecurity incidents and management of the incident response process and the Incident Response Team;
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls, including but not limited to outside legal counsel, reputable third-party firms for 24/7 threat monitoring, detection and response, and third-party experts for conducting periodic process assessments to help us evaluate and enhance our cybersecurity practices;
cybersecurity awareness training of our employees, incident response personnel, and senior management, which covers a variety of topics designed to educate our employees about the importance of cybersecurity awareness, highlight typical cybersecurity-related risks and issues, such as phishing attacks and other methods used to attempt to infiltrate our systems, and test that awareness using knowledge assessments and simulations;
external cybersecurity consultants, including Palo Alto Networks Unit 42 Incident Response team, supervised by our Incident Response Team and Incident Classification Team;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
a third-party risk management process for service providers, suppliers, and vendors, pursuant to which we require such third parties to maintain certain security controls and assess their compliance with these requirements; and
independent third party assessments and audits of our ISMS to determine if it meets the requirements of international information security standards such as ISO 27001:2013, PCI DSS 3.2.1, HIPAA HiTech, AICPA SOC criteria for Security and Availability requirements.
We have not identified risks from known cybersecurity incidents, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Governance
Our Board considers cybersecurity risk as part of its risk oversight function and the full Board has direct oversight of cybersecurity and other information technology risks as well as oversees management’s implementation of our cybersecurity risk management program. Several of our Board members have substantial cybersecurity experience and have experience in the field, including Ms. Julie Iskow, Ms. Sue Barsamian, Mr. David Welsh and Mr. David DeWalt.
Our Board receives quarterly reports from management on our cybersecurity processes and risks. In addition, management updates the Board, as necessary, regarding cybersecurity incidents, including those that are immaterial.
Our Board also receives briefings from management on our cyber risk management program. Board members receive presentations on cybersecurity topics from our CISO and internal security staff as part of the Board’s continuing education on topics that impact public companies.
Our management, including our CISO, oversees cybersecurity threats using our Incident Response Team and Incident Classification Team. Our management is responsible for assessing and managing our material risks from cybersecurity threats and incidents and has the primary responsibility for our overall cybersecurity risk management
49

program and supervise both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management, including our CISO, brings a wealth of knowledge and expertise to our company. Our CISO has experience in roles including VP Product Security at Palo Alto Networks, VP Product Security at SAP Ariba as well as CISO for SAP Sales Cloud, which demonstrates a proven track record in developing and implementing robust cybersecurity strategies, managing large-scale security operations, and leading incident response initiatives. Our CISO has a deep understanding of emerging cyber threats and technological advancements and is adept at ensuring compliance with regulatory requirements and industry standards, while fostering a culture of security awareness throughout the organization.
Our management, through and in conjunction with the Incident Response Team and Incident Classification Team, supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.