Cloudflare, Inc. - (NET)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We regularly face cybersecurity threats from malicious third parties that could obtain unauthorized access to our internal systems, networks, and data, including the equipment at our network and core co-location facilities. It is virtually impossible for us to entirely mitigate the risk of these and other security threats we face, and the security, performance, and reliability of our network and products has been in the past, and may be in the future, disrupted by third parties, including nation-states, competitors, hackers, disgruntled employees, former employees, or contractors. While we have implemented security measures internally and have integrated security measures into our systems, network, and products, these measures have not always functioned as expected and have not always detected or prevented all unauthorized activity, prevented all security breaches or incidents, mitigated all security breaches or incidents, or protected against all attacks or incidents. We have experienced breaches of, and unauthorized access to, our internal systems in the past and we believe such breaches and unauthorized access and other incidents may happen again in the future. As of the date of the filing of this Annual Report on Form 10-K, we do not believe these risks from cybersecurity threats, including the results of prior cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, but there can be no guarantee that we will not experience such a security breach or incident in the future. Refer to Part 1, Item 1A “Risk Factors” of this Annual Report on Form 10-K for additional information regarding cybersecurity risks related to our systems, products, and network.
Particularly in light of the extensive cybersecurity risks facing our company and the fact that we provide cybersecurity products to our customers, we recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to protect our internal systems, our global network, and our customers’ data. We have established a multi-layered approach to manage our cybersecurity risks with preventative and detective capabilities enabled in our network and internal systems that are designed to protect against cyber threats. This approach to cybersecurity includes, among other things, annual and periodic enterprise-wide risk assessments; ongoing collaboration with our product and engineering teams for the purpose of securing our products, systems, data, and global network; a vulnerability management program focused on proactively identifying, triaging and mitigating security vulnerabilities within our systems, network and data through ongoing testing, penetration tests and other simulations; regularly required security training for all employees; and a comprehensive incident response process to identify, contain, and remediate cybersecurity incidents. We also engage with external cybersecurity assessors and consultants in evaluating and testing our risk management systems. These processes are integrated into our overall risk management systems and processes to promote a company-wide culture of cybersecurity risk management.
69

We are aware of the risks associated with engaging third-party service providers, so we have implemented processes to oversee and manage these risks. We conduct security assessments of third-party providers who may have access to sensitive information before engagement and maintain ongoing monitoring of their compliance with our cybersecurity standards. The monitoring includes periodic reviews conducted by our security team. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
Governance
Our Board of Directors, including through its audit committee, oversees our enterprise risk management processes, including our cybersecurity risk exposure and the steps management has taken to monitor, control, and address such exposure. The audit committee regularly reviews and discusses with our senior management, our internal audit team, and our independent auditor, our policies and processes designed to identify, monitor, and address enterprise risks, including risks from cybersecurity threats and incidents. This oversight and review of our risks from cybersecurity threats includes, among other things, our SVP, Chief Security Officer (CSO) providing regular quarterly briefings to our Board of Directors regarding cybersecurity threats, processes for preventing and/or addressing current threats, ongoing cybersecurity initiatives and strategy and regulatory compliance; our internal audit team reporting on a quarterly basis to the audit committee regarding cybersecurity and other enterprise risk management efforts and related audits and management action plans to mitigate risks by internal audits; and periodic other updates to our Board of Directors by our CEO and CSO in the event of specific critical cybersecurity threats.
Our CSO, who reports regularly and directly to our CEO, has primary responsibility for assessing, monitoring and managing our cybersecurity risks, including the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our CSO, who joined us in 2023, has over 20 years of experience assessing and managing cybersecurity programs and cybersecurity risk at a number of different companies. Our internal security leadership team that reports to our CSO regularly communicates and meets to discuss cybersecurity threats and risk management, the effectiveness of our internal security programs, and cybersecurity emerging trends, risks, and incidents that may require increased focus. In addition, our internal audit team regularly reviews cybersecurity risks with our security team as part of our ongoing enterprise risk management program and conducts internal audits on various areas of cybersecurity risk. In addition, our CEO chairs an internal compliance committee that includes our CSO and other members of our security team and meets at least quarterly to review compliance with various laws, rules, and regulations applicable to our company, including with respect to cybersecurity matters.