SolarWinds Corp - (SWI)
10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.
We use, among other frameworks, the NIST Cybersecurity Framework and CIS Critical Security Controls as guides to help us identify, assess, and manage cybersecurity risks relevant to our business. Although we refer to such frameworks in developing our cybersecurity risk management approaches, our use of them as guides is not intended to suggest that we meet any particular technical standards, specifications, or requirements set forth therein.
Our cybersecurity risk management program is integrated with our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas.
Our cybersecurity risk management program includes the following key elements:
•risk assessments designed to help identify material cybersecurity risks to our critical systems, information, services, and our broader enterprise IT environment;
•a team comprised of IT security, IT infrastructure, and IT compliance personnel principally responsible for directing (1) our cybersecurity risk assessment processes, (2) our security processes, and (3) our response to cybersecurity incidents;
•the use of external cybersecurity service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes;
•cybersecurity awareness training of employees with access to our IT systems;
•a cybersecurity incident response plan, incident response policy and Security Operations Center (SOC) to respond to cybersecurity incidents; and
43
•a third-party risk management process for key service providers, suppliers, and vendors to assess for cyber risks and to assist the business in making risk-informed technology product and services decisions. We perform due diligence, including risk assessments, as appropriate, on third parties who maintain material data or information to help us evaluate and verify third party information security capabilities.
There can be no assurance that our cybersecurity risk management program, including our controls, procedures and processes, will be fully complied with or that our program will be fully effective in protecting the confidentiality, integrity and availability of our information systems and our solutions. See Part I, Item 1A. “Risk Factors – Risks Related to Our Technology, Cybersecurity and the Cyber Incident” of this Annual Report on Form 10-K.
Other than with respect to the Cyber Incident, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized and material, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Part I, Item 1A. “Risk Factors – Risks Related to Our Technology, Cybersecurity and the Cyber Incident” of this Annual Report on Form 10-K.
Cybersecurity Governance
Our Board considers cybersecurity risk as critical to the enterprise and delegates the cybersecurity risk oversight function to the Board's Technology and Cybersecurity Committee (the "Technology and Cybersecurity Committee"). The Technology and Cybersecurity Committee oversees management’s design, implementation and enforcement of our information technology systems and cybersecurity risk management program. Our Technology and Cybersecurity Committee meets and reports to the full Board at least quarterly.
Our Chief Information Security Officer, or CISO, regularly reports to the Technology and Cybersecurity Committee on an at least quarterly basis and leads the Company’s overall cybersecurity function. The Technology and Cybersecurity Committee receives regular reports from our CISO on our cybersecurity risks, including briefings on our cyber risk management program and cybersecurity incidents. Technology and Cybersecurity Committee members also receive regular presentations on cybersecurity topics from our CISO, supported by our internal security staff, as part of the Board’s continuing education on topics that impact public companies.
Our CISO supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in our IT environment.
While our Board and Technology and Cybersecurity Committee oversee cybersecurity risk, our senior leadership is responsible for identifying, assessing and managing our material risks from cybersecurity threats. Our IT organization, which is led by our Chief Information Officer, is accountable for our overall cybersecurity risk management program. Reporting to our Chief Information Officer is the individual who provides day-to-day oversight of our cybersecurity program and supervises both our internal cybersecurity personnel and our external cybersecurity service providers, our Chief Information Security Officer (“CISO”). Our CISO has an undergraduate degree in computer science and 30 years of experience in the IT, engineering and cybersecurity space. He has been with the Company since 2017, and previously served in management roles overseeing cybersecurity and security architecture at both publicly traded and private companies in the technology and software development industries. Our CISO is a recognized leader in the cybersecurity industry and often speaks at notable events throughout the world. The team that runs our cybersecurity risk management program comprises IT security, IT infrastructure and IT compliance personnel, who have prior work experience in various roles involving information technology (such as security, auditing, compliance, systems or programming) and/or relevant education or certifications.