Q2 Holdings, Inc. - (QTWO)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
As a provider of SaaS solutions and an extensive user of a variety of technology services, we are subject to numerous risks from cybersecurity threats that have and could adversely affect us; however, to date none have materially affected us or our business strategy, results of operation or financial condition. Cybersecurity threats are ever-present and continuously evolving and we have and will continue to expend considerable resources to deliver solutions that are designed to comply with the stringent security and technical regulations and practices applicable to financial institutions and financial services providers and to safeguard our solutions and information systems against cybersecurity threats. For more information regarding the risks we face from cybersecurity threats, please see "Item 1A. Risk Factors." We have implemented a risk-based approach to identify and assess the cybersecurity threats that have and could affect our business and information systems, which approach is incorporated into our overall enterprise risk management program. Our enterprise risk management program includes a formal, enterprise-wide inventory, categorization and assessment of risks, including risks associated with cybersecurity threats, overseen by the Risk and Compliance Committee, or RACC, of our Board of Directors, and managed by our dedicated Chief Risk Officer, or CRO, and an Enterprise Risk Oversight Committee consisting of a cross-functional representation of senior leaders including our Chief Information Security Officer, or CISO. Our CRO has over eight years of senior risk management experience at large technology organizations, following a 20-year career in the U.S. Army. Our enterprise risk management team works in partnership with our dedicated security, information technology, compliance, internal audit, and third-party risk management functions, which collectively rely on a variety of internal resources and processes, as well as third-party consultants, auditors and applications, to identify, assess and manage cybersecurity risks, including cybersecurity threats related to third-party providers on which we rely. Our enterprise risk management function also extensively consults with senior management across our organization in identifying, assessing and managing risks.
Our information security program is managed by a dedicated CISO, whose team is responsible for leading our enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. Our CISO has more than 20 years of experience directing disparate teams across application and product security, cyber defense, risk management, information governance, information technology compliance, information technology training and sales. Our CISO is appointed by the RACC, which also oversees the implementation, monitoring and testing of our information security program. Our CISO and CRO provide periodic reports to the RACC, at least quarterly. These reports include updates on the Company's cybersecurity risks and threats, the status of projects to strengthen our information security posture, assessments of the information security program, and the emerging threat landscape. Our CISO and CRO also regularly meet separately with the chair of the RACC to provide similar updates. Our information security program includes incident response procedures designed to facilitate escalation of actual or potential cybersecurity incidents initially to members of our security team, and as appropriate to senior management and the RACC, to allow proper consideration, mitigation and remediation of, as well as evaluation of potential disclosure obligations with respect to, actual or potential cybersecurity incidents. Our information security program is regularly evaluated by internal and external experts with the results of those reviews reported to senior management and the RACC. We also actively engage with key vendors, industry participants and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security program.