DROPBOX, INC. - (DBX)

10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented a variety of cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess and manage such material risks. Our approach includes: (1) an enterprise risk management program, which includes cybersecurity risks and is periodically refreshed; (2) security and privacy reviews designed to identify risks from new features, software, and vendors; (3) a vulnerability management program designed to identify hardware and software vulnerabilities; (4) an internal red team program, which simulates cyber threats, intended to allow us to address vulnerabilities before threat actors identify them; and (5) a threat intelligence program designed to model and research our adversaries. These processes vary in maturity across the business and are processes we work to continually improve.

Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations.

We also maintain an incident response program to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity of, escalate, contain, investigate, and remediate identified incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. Further, we conduct regular tabletop exercises to test and fortify the controls of our cyber incident response program. The incident response team assesses the severity and priority of incidents on a rolling basis, with escalations of cybersecurity incidents provided to our
43

management team. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response plan and cybersecurity disclosure controls and procedures define the process to disclose such a material cybersecurity incident.

Our risk management approach is supplemented by external and internal enterprise risk management audits, including SOC-2 and ISO 27001, which are designed to test the effectiveness of our security controls. We conduct penetration testing on a periodic basis and have established an external bug bounty program to allow security researchers to help identify vulnerabilities in our systems before they mature into real-world cybersecurity threats. We also maintain a vendor risk management program designed to identify and mitigate risks associated with third-party suppliers and business partners. This program includes pre-engagement diligence, contractual security and notification provisions, and ongoing monitoring, as appropriate.

We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Our business could be damaged, and we could be subject to liability, if there is any unauthorized access to our data or our users’ content, including through privacy and data security breaches or incidents,” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.

Governance

Our Board of Directors is actively involved in overseeing cybersecurity risk management. At least once a year, the Board of Directors discusses our programs and policies related to cybersecurity and risk initiatives and considers them closely both from a risk management perspective and as part of Dropbox’s business strategy. Additionally, our audit committee oversees programs and policies related to cybersecurity risks and initiatives. Our audit committee is comprised entirely of independent directors who evaluate these issues at least quarterly.

We have also established a cross-functional leadership team to oversee our information security and privacy programs and practices, as well as to assess, identify, manage and mitigate security and privacy risks. Members of this team also report periodically to the board of directors, audit committee, and members of our senior leadership team. This team includes senior leaders from our legal, privacy, information security, information technology, infrastructure, and compliance teams, including our Chief Privacy Officer, our VP, Business Foundations, our Head of Security, and our Chief Legal Officer. Our Chief Privacy Officer has held various roles advising Dropbox and two other large publicly-traded technology companies on a variety of privacy, regulatory, and product counseling issues since 2010. Our VP, Business Foundations has been with us since 2020, and has worked in the technology industry for over 20 years, working in product development, engineering, and security leadership and risk management roles over that time. Our Head of Security joined Dropbox in 2022 and has held roles in cybersecurity, engineering, and operations, including leadership positions, with a variety of companies for over 20 years. Our Chief Legal Officer has been with us since 2011, having served as our Chief Legal Officer or General Counsel for a total of over seven years, and has over 20 years of experience in the legal profession.

Members of senior leadership are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described herein, including the operation of our incident response plan. Additionally, all employees are required to complete annual information security and privacy training, which are reviewed and updated annually. They also receive ongoing security awareness education via informational emails, talks and presentations, and resources available on our intranet.