INSTRUCTURE HOLDINGS, INC. - (INST)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity.

Information security is the responsibility of our Information Security and Compliance department, overseen by our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”). We leverage a combination of the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, NIST Security and Privacy Controls for Information Systems and Organizations, International Organization for Standardization (“ISO 27001”), the American Institute of Certified Public Accountants (“AICPA) SOC 2 set of security controls, and Center for Internet Security best practice standards to measure our security posture and manage risk. We implement both preventative and detective mechanisms, as well as processes, controls, and tools in layers. These layers include applications, systems, network, third-parties, personnel and physical security. We implement this system via governance, risk management, policy, education, security engineering, security compliance, security operations, and application security.

Our Incident Response Plan ("IRP") establishes the incident response ("IR") policies and procedures to position our organization to timely and effectively address cybersecurity incidents that could, or may have, compromised sensitive and/or personally identifiable information ("PII"), or have a serious impact on our ability to accomplish our mission. The IRP also specifies the organizational methods for the preparation, detection, analysis, eradication, and containment of an incident. The IRP describes the roles, responsibilities, and actions of the Incident Response Team ("IRT") to analyze, classify, and manage security events and incidents, including but not limited to, unauthorized access, alteration or compromise, denial of service, malicious code, or misuse.

42


To implement our policy, we maintain a comprehensive IR process containing detailed information on points of contact, response procedures, and training. We perform an annual security incident response exercise to test the effectiveness of the incident response process we have established. The annual test consists of scenario-based tabletop exercises that involve members of the IRT and cover specific types of incidents. These exercises also provide a mechanism to train personnel with security incident response duties to understand the roles, responsibilities, and procedures they have within the plan. In addition, we conduct regular security awareness trainings for all of our employees, and carry insurance that provides protection against the potential losses arising from a cybersecurity incident. However, such insurance may not be sufficient to cover all of our potential losses and may not continue to be available to us on acceptable terms, or at all.

Additionally, our security team conducts regular vulnerability scans of both our non-public assets and our production environments, using a number of internal and external tools, custom scripts, and monitoring agents to watch for open-source libraries and dependency vulnerabilities. In addition to regular scanning and periodic internal security audits conducted throughout the year, we conduct open, third-party security reviews, including year-round bug bounty penetration testing.

We utilize several third-party organizations to host our products for customers. We monitor the secure provision of these services, our security team performs thorough vetting prior to, and periodically throughout the relationship with third-party vendors. To help provide reasonable security assurance of the security practices and mechanisms at these third parties, we request and review copies of the third-party assurance reports provided by these organizations on an ongoing basis to confirm their controls are operating effectively. Legal contracts with these third parties also include security provisions to help ensure the implementation and operation of effective security controls at the third-party organizations. Furthermore, we host all customer-facing web applications and supporting infrastructure on AWS. We rely on AWS’ ability to design and operate the critical mechanisms and controls to protect physical access to data and availability of our services. AWS has represented to us that their data centers utilize state-of-the-art electronic surveillance and multi-factor access control systems, among other security measures, including permanent trained security guards and limited access.

In the last three years, neither we nor our third party provider have experienced any material information security breach incidences and the expenses we have incurred from information security breach incidences were immaterial. For additional information about the Company’s cybersecurity risks, please refer to “Risks Related to our Technology and our Intellectual Property Rights” in Item 1A, “Risk Factors.”

While our full board of directors has overall responsibility for risk oversight, it has delegated to the Audit Committee oversight of our risk management process. Our Audit Committee is committed to regularly reviewing, advising and overseeing the effectiveness of our cybersecurity and data protection programs and practices, including controls, policies and guidelines, security strategy and technology planning, compliance, and preparedness and incident response planning. The Audit Committee reports to the full board of directors when a cybersecurity matter rises to the level of a material or enterprise level risk.

The CIO presents updates to the Audit Committee as needed and, also as necessary, to the board of directors. These reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The CIO also promptly informs and updates the board of directors about any information security incidents that may pose significant risk to Instructure.

Our CIO has over 20 years of experience building, developing, and leading high-performance cloud, IT, and security teams globally—while strategically aligning IT and security services for organizational success. Prior to joining Instructure in 2021, he was SVP of Cloud Customer Operations and the Chief Information Security Officer at a business intelligence and analytics firm. Before that, he led global IT and information security for the largest dedicated global software security firm. He has a Master’s Degree in Information Systems from George Mason University and a Bachelor’s Degree in Computer Science from SUNY Buffalo.

Our CISO has 15 years of experience in Information Technology. During the last decade, he has focused on leading information security programs, with the aim of creating alignment and synergy between security programs and other business units. Prior to joining Instructure in 2022, he led the inauguration of an information security program and implemented strong and adaptable information security processes and controls at a retail technology company. Before that, he was Director of Information Security for a leading modern media company. He has both a Master’s Degree and Bachelor’s Degree in Information Security from Marymount University.

 

43