MICROSTRATEGY Inc - (MSTR)

10-K Filing Date: February 15, 2024
Item 1C.Cybersecurity

As part of our cybersecurity risk management framework, we have implemented comprehensive Corporate Incident Response Plans (IRPs) and other policies and procedures designed to ensure the assessment, identification, and management of material risks from cybersecurity threats, and to facilitate timely disclosure of material cybersecurity incidents in accordance with SEC rules. Our policies provide for cybersecurity awareness training for employees and engagement in due diligence processes in accordance with industry best practices for third-party vendors, including those handling critical services or sensitive data on our behalf. Our policies also provide for regular, senior management-led table-top exercises simulating cyberattack scenarios to ensure preparedness and response agility. We undertake an annual review of our policies to help ensure their effectiveness and relevance in light of evolving cybersecurity threats. Additionally, we maintain cyber insurance to help cover costs associated with the occurrence of certain cybersecurity events. We do not currently engage any other third parties as part of our cybersecurity risk management framework, but we do use third party services and products in the ordinary course with respect to certain common cybersecurity threats.

Our IRPs, which are tailored to address potential cybersecurity threats in both our product and corporate infrastructure technology environments, are designed to provide a comprehensive, structured response to cybersecurity incidents, and apply to all MicroStrategy personnel, including employees, directors, temporary staff, and contractors. In accordance with our IRPs, we train our personnel to

44


 

report any cybersecurity incidents to our Information Security Team (IST). Upon identification of a cybersecurity incident, the IRPs mandate that the IST conduct an immediate evaluation and assign a severity rating to the incident and, depending on the severity, report the incident to our Chief Information Security Officer (CISO). Based on the severity of the incident, a Security Incident Response Team (SIRT), the members of which include our Chief Information Officer (CIO), the CISO, and personnel from various departments, including legal, is convened. The SIRT, with assistance from the IST, is tasked with executing a timely and effective response to the incident, and SIRT members are assigned specific roles and responsibilities, including assessment of the incident's materiality for disclosure purposes.

Our CIO and CISO oversee our cybersecurity preparedness. Our CIO has over 25 years of experience in the technology sector, including specifically in the cybersecurity industry, and held various leadership positions prior to joining MicroStrategy in 2018. Our CISO, who joined MicroStrategy as CISO in 2021, has over 20 years of experience with cybersecurity and privacy, and has experience with IT infrastructure technologies, including cloud, network, server, endpoint, and mobile technologies. Our CISO holds a master’s degree in computer science and multiple industry-recognized cybersecurity certifications. The IST operates under our CISO’s leadership, who in turn reports to our CIO.

We administer our cybersecurity risk management framework separately from our other risk management systems and processes, under the direct oversight of our board of directors and senior management. MicroStrategy's management, including our CIO and CISO, provides the board of directors with regular updates on cybersecurity incidents and emerging threats. The board actively engages with management on the development and implementation of cybersecurity policies and practices, offering insights and guidance. Board members with significant experience in software technology, such as Michael J. Saylor and Leslie J. Rechan, each with over 30 years of software industry experience, and Phong Le, our Chief Executive Officer, contribute their expertise to our cybersecurity risk management.

Unauthorized parties have attempted, and we expect that they will continue to attempt, to gain access to our systems and facilities, as well as those of our third-party vendors, through various means, such as hacking, social engineering, phishing, and fraud. However, such incidents have not materially affected, nor are they reasonably likely to materially affect, our business strategy, results of operations, or financial condition. See “Item 1A. Risk Factors – Risks Related to Our Bitcoin Acquisition Strategy and Holdings – If we or our third-party service providers experience a security breach or cyberattack and unauthorized parties obtain access to our bitcoin, or if our private keys are lost or destroyed, or other similar circumstances or events occur, we may lose some or all of our bitcoin and our financial condition and results of operations could be materially adversely affected” and “Item 1A. Risk Factors – Risks Related to Our Operations – If we or our third-party service providers experience a disruption due to a cybersecurity attack or security breach and unauthorized parties obtain access to our customers’, prospects’, vendors’, or channel partners’ data, our data, our networks or other systems, or the cloud environments we manage, our offerings may be perceived as not being secure, our reputation may be harmed, demand for our offerings may be reduced, our operations may be disrupted, we may incur significant legal and financial liabilities, and our business could be materially adversely affected.”