APPIAN CORP - (APPN)

10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity.

Cybersecurity Risk Management

As part of our overall risk management system, we have established certain procedures to assess, identify, and manage material risks from cybersecurity threats. Our cybersecurity risk management system is designed to align with industry best practices, including International Organization for Standardization, or ISO, standards, provide a framework for handling cybersecurity threats and incidents, and facilitate coordination across different departments of our company. As part of this system, we have a formally documented information security management program and conduct regular tabletop exercises that include participation from executive officers. In addition, we engage consultants and other third parties who are experts in the cybersecurity risk management field to review and provide testing services as well as general incident management services. These engagements directly contribute to industry certifications and attestations that demonstrate our dedication to protecting the data that we are entrusted with by customers. Our Governance, Risk and Compliance team within the information security management program oversees and identifies material cybersecurity risks associated with our use of these third-party service providers through a formal vendor security risk management program.

Board Governance Disclosure

One of the Board’s key functions is informed oversight of our risk management process, which includes responsibility for ensuring management has processes in place designed to identify, evaluate, manage, and mitigate cybersecurity risks to which it is exposed. The Board receives regular updates, on at least a quarterly basis, from our senior management team on such cybersecurity risks, developments in cybersecurity, and updates to the Company’s information security management program. The Board is also involved in strategic decisions related to the impact of these risks on our business.

Management Governance Disclosure

Our senior management team, which includes our Chief Information Security Officer, or CISO, is responsible for identifying, assessing, and managing material risks from cybersecurity threats, as well as for establishing processes to ensure such risks are monitored and mitigated, with the CISO taking the lead on such matters. Our CISO, who joined Appian in May 2021, brings over 17 years’ experience in security and compliance initiatives, including experience in the software-as-a-service and platform-as-a-service cloud industries. We have documented the framework and process for when and by whom senior management is informed and when such information will be reported to the other parties in our Incident Response Guide, which is regularly reviewed and updated by the information security team.