WORKIVA INC - (WK)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Risk management and strategy
We are subject to various cybersecurity risks that could adversely affect our business, financial condition, results of operation and reputation. We recognize the importance of developing, implementing, and maintaining comprehensive cybersecurity measures as part of our larger risk management program to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Our risk management team works closely with our Information Technology and Information Security (“InfoSec”) departments to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Our information security program incorporates data encryption and access control, single sign-on and multi-factor authentication, vulnerability management, and malware protection for both laptops and servers. We align with industry standards and frameworks, and we maintain FedRAMP Moderate authorization, an ISO 27001 certificate, and SOC 1 and 2 Type 2 reports to comply and adhere to industry standard practices. There can be no guarantee that, in every instance, our policies and procedures will be properly followed or that those policies and procedures will prevent malicious or unauthorized access to our information systems.
Engaging Third-parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, we regularly engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights in order to adhere to industry standard practices. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on security enhancements.
Overseeing Third-party Risk
We require that all third-party vendors that have access to or handle sensitive information undergo a risk-based vendor security assessment. Our Governance, Risk and Compliance team conducts security assessments of critical third-party providers before engagement and maintains ongoing annual monitoring to mitigate risks relating to data breaches or other security incidents originating from third-parties.
Risks from Cybersecurity Threats
We have not encountered any incidents from cybersecurity threats to date, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. Although we have not yet been materially impacted by any cybersecurity incident, we are subject to cybersecurity threats, as discussed in Item 1A. Risk Factors, including in the risk factor entitled “We face continually evolving cybersecurity risks, which could result in the loss, theft, misuse, unauthorized disclosure, access, or destruction of confidential information or data, disruption of our solutions, damage to our brands, reputation and relationships with customers, legal exposure and financial losses.”
Governance
The Board of Directors (the “Board”) has established oversight mechanisms designed to manage risks associated with cybersecurity threats.
41
Board of Directors Oversight
The Board is composed of members who have diverse expertise including, risk and financial management, technology, cybersecurity and finance, equipping the Board to oversee cybersecurity risks effectively.
Management’s Role Managing Risk
The Chief Information Security Officer (“CISO”) plays a pivotal role in informing the Board and the Audit Committee on cybersecurity risks and provides comprehensive briefings on a regular basis, with a minimum frequency of three times per year to the Audit Committee and once per year to the full Board. During committee reports, the Audit Committee would apprise the full Board of any significant cybersecurity updates. These briefings encompass a broad range of topics, including:
•Current cybersecurity landscape and emerging threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and knowledge gleaned from any cybersecurity events; and
•Compliance with regulatory requirements and industry standards.
In addition to our scheduled meetings, the CISO and Chief Executive Officer (“CEO”) inform and consult as appropriate with the Board regarding any significant developments in the cybersecurity domain.
The CISO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CISO is equipped with an incident response plan. This plan includes actions to mitigate the impact of any current cybersecurity incidents and long-term strategies for remediation and prevention of future incidents.
Monitoring Cybersecurity Incidents and Reporting to Board of Directors
The CISO regularly informs the CEO, Chief Legal Officer, Chief Information Officer and in-house data privacy counsel regarding cybersecurity risks and incidents to keep senior management abreast of our cybersecurity posture and potential risks facing Workiva. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Board, to enable it to provide oversight and guidance on any critical cybersecurity issues.