VERISIGN INC/CA - (VRSN)
10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
Our cybersecurity program is designed and implemented to assess, identify, mitigate and manage risks from cybersecurity threats that may result in adverse effects on the integrity and availability of our production and information systems. Among other items, our cybersecurity program is comprised of policies, standards, plans and frameworks for information security, business resilience, insider threat mitigation, technology asset management, cyber risk management, incident response and procurement. Material risks from cybersecurity threats include, among other things, operational disruption, including failure to meet our service level agreements, loss or destruction of data, hardware or intellectual property, and cyber extortion through ransomware. The management of cybersecurity risks, which involves significant and sustained resource commitments and Management attention, is also integrated into the Company’s enterprise risk management program through formal processes that help identify and elevate the most serious risks, including those pertaining to cybersecurity, for management at the enterprise level and oversight at the Board level. For more information on the Company’s cybersecurity risks and their possible impact on our business strategy, results of operations, or financial condition see Risk Factors – Cybersecurity and Technology Risk Factors in Part I, Item 1A of this Form 10-K.
Our cybersecurity program leverages the NIST Cybersecurity Framework to help protect the Company’s operations, information, production systems and networks from threats through cybersecurity practices, programs and tools that establish defenses in depth. The cybersecurity program includes, among other items, vulnerability and patch management, network and data segmentation, application of zero-trust principles, automated ingestion of multi-source threat intelligence, end point and network detection/response, application security, secure configurations for operating systems and databases, continuous security monitoring and 24/7 security operations. The program has dedicated business resilience, insider threat and governance, risk and compliance (GRC) functions. Incident management is governed by our Incident Response Plan that assigns incident command and control parameters and escalation protocols to management and the Board of Directors. Our cybersecurity program also focuses on risks from the use of third-party services. Our GRC team assesses the cybersecurity practices of current and prospective service providers for compliance with our requirements, and our procurement functions seek terms and conditions, including by example, audit rights and vulnerability or breach disclosure obligations, to enhance our defenses against supply chain risks.
Our cybersecurity program incorporates several control and best practice regimes, including for example, the Center for Internet Security (CIS) controls. We conduct regular internal and external assessments, audits, and tabletop exercises to assess security vulnerabilities, control compliance and incident preparedness. These assessments and exercises include, for example, red team exercises simulating external attacks, crisis management exercises, including incident response, and internal audit reviews. Management and the Board’s Cybersecurity Committee reviews the results of these exercises, audits and assessments.
19
We also actively engage with third parties, such as key vendors, auditors, consultants, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our cybersecurity program. We monitor emerging data protection laws and cybersecurity and privacy regulatory requirements and implement changes to our standards and processes for continued compliance. Our cybersecurity program also includes employee and contractor training, which primarily consists of monthly educational videos, annual trainings and certifications, and phishing exercises.
Our cybersecurity strategy and program are led by our Executive Vice President and Chief Security Officer (CSO), who reports to the CEO. Our CSO is Danny McPherson, who has over 25 years of experience in technology and cybersecurity leadership positions and has authored several security-related books and numerous patents, IP standards, and security research publications. He has served in various capacities on various technology working groups and standards setting organizations including the Internet Architecture Board and the Internet Engineering Task Force. Our CSO manages a converged security, engineering and operations organization that helps to ensure that cyber and other security priorities are appropriately integrated throughout the Company. Our Chief Information Security Officer, Chief Information Officer and the head of architecture and engineering report to our CSO. These and other experienced employees lead the teams responsible for implementing various parts of our cybersecurity program.
In addition, a management-level Safety and Security Council (“Council”) chaired by our CEO and comprised of our CSO and other senior officers, provides cross-functional coordination for the management of the Company’s security functions. The Council receives information, typically monthly, on the status of the cybersecurity program, initiatives, incidents, cybersecurity risks, assessments, and threats, among other items. The Chair of the Board’s Cybersecurity Committee is the Board’s liaison to the Council and attends the regular meetings of the Council.
The Cybersecurity Committee assists the Board with its oversight of the Company’s cybersecurity risks and our cybersecurity program. The Committee reviews our incident response plan, including escalation protocols, business continuity program plans, program budgets and resources, and our cybersecurity insurance program. The Committee also reviews and discusses the activities of the Council at each of its regularly scheduled meetings. The Committee operates pursuant to a written charter and calendar, each of which are reviewed on an annual basis. The Cybersecurity Committee and the full Board receive quarterly status reports on the cybersecurity program from the CSO, addressing progress and updates on various cybersecurity functions and initiatives including, for example, compliance, assessments, security operations and incident response, business resilience, distributed denial of service attacks, data privacy, technology and asset management, controls, and vulnerability management.