Palantir Technologies Inc. - (PLTR)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We maintain a security organization that is responsible for overseeing security practices across the Company, including with respect to information, personnel, and facilities. Our information security team maintains policies and processes for assessing, identifying, and managing material risk from cybersecurity and other information security threats, including as may be related to our third party vendors and suppliers.
Our Chief Information Security Officer leads our information security team and works with Palantir’s other departments in areas such as facilities, physical security, operations, data protection, information technology, product development, finance,
61
legal and compliance, where necessary in assessing and reviewing risks and identifying actions to be taken. As part of our overall approach to risk management, we monitor and evaluate the sufficiency of our policies, processes and controls, including with respect to cybersecurity risks and process.
Regular assessments and reviews, both internal and independent, are conducted on Palantir information assets and networks, including systems, devices, applications, and related computing resources, to evaluate potential risks and vulnerabilities, identify actions to be taken, and evaluate the effectiveness of our cybersecurity program and controls. Risk management exercises occur regularly, and in response to changes in Company operations, risk landscape, and threat actor activities using threat modeling, risk forecasting, and other techniques to identify where investments in security should be made. Internal assessments occur based on results from risk management exercises, changes in infrastructure, cybersecurity risks, threat actor activity, and in response to other internal or external events. External assessments are conducted by independent assessors, consultants, or auditors, as relevant, and occur regularly in order to maintain our certifications and accreditations with certain compliance regimes (for example, FedRAMP).
We also provide employees with policies and training in areas such as ethics, corruption, information security, social engineering, data protection, and compliance, and with regular updates on the cybersecurity program and potential threats.
Additionally, Palantir utilizes third-party software, services, and providers in our cybersecurity program in furtherance of our security processes such as endpoint security, threat intelligence, cloud security, and authentication services. The third-party vendors we engage with are generally required to implement industry standard technical, administrative, cybersecurity, and physical measures designed to protect the security and confidentiality of Palantir information (including customer information). Additionally, such providers undergo review, dependent on the software and services they are expected to provide, as part of our vendor onboarding process and may be subject to additional review upon certain critical events, or in connection with contract renewals. Third-party providers must notify Palantir promptly of relevant security incidents.
We face a number of cybersecurity risks in connection with our business. To date, our business strategy, results of operations, and financial condition have not been materially affected by cybersecurity incidents. For additional information, please refer to Item 1A. “Risk Factors” in this Annual Report on Form 10-K, including the risk factors under the section entitled “Risks Related to Intellectual Property, Information Technology, Data Privacy, and Security”.
Governance
Risk is inherent with every business, and we face a number of risks, including strategic, financial, business and operational, legal and compliance, and reputational. We have designed and implemented processes to manage risk in our operations. Management is responsible for the day-to-day management of risks we face, while our Board of Directors, as a whole and assisted by its committees, has responsibility for the oversight of risk management. Our Board of Directors administers its cybersecurity risk oversight function directly and may choose to administer this function through its committees as well.
Our Chief Information Security Officer oversees our cybersecurity program, policies and processes, including those described in “Risk Management and Strategy” above, and works with the information security team and other stakeholders on the prevention, detection, mitigation, response and remediation of cybersecurity incidents, as applicable. As our information security team monitors the security and effectiveness of our policies and processes, they also work to keep the Chief Information Security Officer and other members of leadership informed of critical incidents, process updates, or other material details, in accordance with our internal reporting structure. Our Chief Information Security Officer in turn provides periodic briefings to our Board of Directors regarding our company’s cybersecurity risks and activities, which would include recent material cybersecurity incidents and related responses, if any, changes to the risk landscape, and updates or changes to the cybersecurity program. Our Chief Information Security Officer has over 15 years of direct, technical cybersecurity experience in the commercial and government sectors, and holds an undergraduate degree in infrastructure assurance and a graduate degree in information security engineering, as well as certifications in information security. The information security team includes employees with broad ranging experience in cybersecurity threat assessments and detection, incident response, and mitigation and management of various types of threats, including from insiders and nation-state actors.