Arista Networks, Inc. - (ANET)

10-K Filing Date: February 12, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. In addition, our Legal and Information Technology (IT)/Information Security (IS) teams work together to oversee our compliance with applicable laws and regulations and coordinate with subject matter experts throughout our business to identify, monitor and mitigate risk including information security risk management and cyber defense programs.
Our cybersecurity risk management program is aligned with our overall enterprise risk management programs and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management programs to other legal, compliance, strategic, operational, and financial risk areas.
Our cybersecurity risk management program includes:
an information security management systems policy, including a business continuity policy, acceptable use and physical security policies, and an incident response policy and plan for responding to cybersecurity incidents, among others;
risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
the use of internal audit teams and external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
cybersecurity awareness, data protection, and privacy training of our employees, incident response personnel, and senior management; and
a vetting and management process for third party service providers, suppliers, and vendors
Through this program, our IT/IS team identifies and executes improvements based upon its own assessments, public cybersecurity events and the identification of new risks by third parties, including our external cybersecurity consultants. As part of these continuous improvement efforts, there may be times when the IT/IS team prioritizes certain cybersecurity fixes or program improvements over other measures, which could lead to new known or unknown risks being identified on an ongoing basis. Cybersecurity threat actors are often highly sophisticated and nimble in their attacks. Despite these efforts, we cannot guarantee that our priorities and efforts will prevent any cybersecurity incident from happening.
We also engage in periodic testing programs, using both internal assets and external consultants, including penetration testing, and incorporate multiple layers of physical, logical and written controls into our cybersecurity risk management program. Our IT/IS team leverages centralized identity management, encryption configurations and technologies on the systems, devices, and third-party connections used in our operations.
We also maintain cyber liability insurance coverage. While we currently hold such coverage, we cannot be certain that our insurance coverage will be adequate for liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any future claim will not be excluded or otherwise be denied coverage by any insurer.
As of the date of this report, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that we believe have, or are likely to, materially affect us, our business strategy, results of operations, or financial condition. For additional information concerning risks from cybersecurity threats, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factors in the category entitled, “Risks Related to Cybersecurity and Data Privacy”.

Cybersecurity Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (Committee) oversight of cybersecurity and other information technology risks. The Committee oversees management’s implementation of our cybersecurity risk management program. The Committee receives quarterly reports from our Vice President and Chief Information Security Officer (CISO), in conjunction with other senior managers, on cybersecurity risks. In
49


addition, these managers update the Committee, as necessary, regarding any material cybersecurity incidents, as well as incidents with lesser impact potential. The Committee reports to the full Board on cybersecurity no less frequently than once annually. The full Board also receives briefings from management on our cyber risk management program on a periodic basis.
Our cybersecurity program includes an annual funding and forecast process, and we have further established processes to secure additional funding in response to emerging risks, threats and identified improvement opportunities. Our IS team, led by one of our Vice Presidents who also serves as our CISO, is responsible for assessing and managing risks from cybersecurity threats. The IS team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our external cybersecurity consultants.
Our CISO has over 20 years of experience in the cybersecurity industry and has been instrumental in building several key security technologies, viz. Network Intrusion Prevention Systems (NIPS), Host Intrusion Prevention Systems (HIPS), Web Application Firewalls (WAF), Whitelisting, Endpoint/Server Host Monitoring (EDR) and Virtualization Based Security (VBS). Previously, our CISO served in senior executive and technical leadership roles in several security companies. In addition, our CISO has experience as a pen-tester and has in-depth knowledge of operating system, networking and security products. Our CISO holds a bachelor’s degree in computer science and a master’s degree in software systems. In addition, our IS team includes over 20 members each with experience in network security related roles, with the two IS leads reporting to our CISO each having more than 20 years of security experience.
Our management team, including our CISO in consultation with our Chief Technology Officer and Chief Financial Officer, supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents, which may include: briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity consultants; and alerts and reports produced by security tools deployed in our IT environment. However, as indicated above, we cannot guarantee that our efforts will prevent any cybersecurity incident from occurring.
As part of our IT security program, our Cybersecurity Executive Committee and Information Security Steering Committee meet throughout the year to monitor and assess information security risks. In addition, we perform an enterprise risk assessment that is reviewed by the Committee and our Board of Directors on an annual basis and monitored on a quarterly basis by the Committee. The enterprise risk assessment is an assessment of key risks, including information security risks, data privacy, supply chain, human capital, and other risks.