JUNIPER NETWORKS INC - (JNPR)
10-K Filing Date: February 07, 2024
ITEM 1C. Cybersecurity
Cybersecurity Risk Management and Strategy:
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, internal operational risks; system security risks; data protection; risks to proprietary business information; intellectual property theft; fraud; extortion; harm to employees, partners, or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage such material risks.
To aide in identifying and assessing material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity risks alongside other significant company risks as part of our overall risk assessment process. As part of this process, the Company gathers input from subject matter specialists, as necessary, to gather insights to help in identifying and assessing material cybersecurity threat risks, as well as potential severity and mitigation measures. We also have a cybersecurity specific risk assessment process, which helps identify potential cybersecurity risks. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises to inform our professionals’ risk identification and assessment.
We manage these known risks by using internal security controls designed to align with standards set by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”), and the Center for Internet Security (“CIS”), and by engaging third party experts to perform penetration tests to attempt to infiltrate our information systems, as such term is defined in Item 106(a) of Regulation S-K. These penetration tests are focused on specific objectives to assist us in managing our cybersecurity threat risks. Our maturity in these controls varies by control type and by business.
We also conduct the following activities at various intervals during the year, which vary in maturity across our business:
•monitor emerging data protection laws and implement changes from time-to-time to our processes designed to comply;
•undertake regular reviews of our customer facing policies and statements related to cybersecurity;
•through policy, practice, and contract (as applicable) require employees, who provide services on our behalf, to treat customer information and data with care;
•leverage the NIST incident handling framework to help us prepare, detect, analyze, contain, eradicate, respond, and recover when there is an actual or potential cybersecurity incident;
•run exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies;
•run exercises to simulate a response to a cybersecurity incident to provide training to our cyber incident response team;
•run annual tabletop exercises to train our executives and increase their cybersecurity awareness;
•conduct a variety of information security and privacy trainings, including new employee training, job-specific security training, specialized training for IT and security personnel, and phishing simulations.
•hold an annual Cybersecurity Awareness Month programming, which is available for all employees during which we provide seminars, presentations, and employee engagement activities designed to reinforce our employee information security training and enhance the culture and knowledge of cybersecurity risks among our employees;
•carry information security risk insurance to help defray potential losses that might arise from a cybersecurity incident.
Our cybersecurity incident response plan was developed to respond to the threat of security breaches, the threat of cyberattacks, and to protect and preserve the confidentiality, integrity, and continued availability of information owned by, or in the care of, the Company. Our incident response plan coordinates the activities that we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate material cybersecurity incidents to our global crisis management plan, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
42
Our processes also address cybersecurity threat risks associated with our use of third party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits.
We regularly engage with assessors, consultants, auditors, and other third parties, including by regularly having third parties, including independent Qualified Security Assessors review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance.
In our risk factors, we describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. See our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.
Cybersecurity Governance:
Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. The Board has oversight responsibility for the Company’s Enterprise Risk Management framework. The Board as a whole and through the various Board committees oversees the Company’s management of material enterprise level risk, focusing on four areas of risk: strategic, compliance, operational, and financial. To fulfill its oversight responsibility, the Board also regularly reviews, consults, and discusses with management on strategic direction, challenges, and risks faced by the Company.
As part of our entire Board's operational risk management responsibilities, it has oversight of risks from cybersecurity threats. The Audit Committee has been designated with the responsibility to regularly review the Company’s processes and procedures around managing cybersecurity threat risks and cybersecurity incidents. As discussed below, members of management report to the Audit Committee which reports to the entire Board about cybersecurity threat risks, among other cybersecurity related matters, at least annually.
In support of the Board's oversight of the Company's cybersecurity risk management program, the Audit Committee receives (i) quarterly updates or reports delivered directly from our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) and (ii) three reports delivered as part of the Company's enterprise risk management update to the Audit Committee. These reports may be supplemented, as needed, by the CIO, CISO, and other executives at the Company. These reports include a variety of cybersecurity topics, such as threat risk management updates, the results of exercises and response readiness assessments, our incident response plan, and steps management has taken to respond to such threat risks. In such sessions, the Audit Committee receives materials including a cybersecurity scorecard and other materials indicating current and emerging material cybersecurity threat risks, and describing the Company’s ability to mitigate those risks, and discusses such matters with our CIO and CISO.
Members of the Board and Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like enterprise risk management, operational budgeting, mergers and acquisitions, and other relevant matters.
Our CISO oversees our cybersecurity risk management program in partnership with our CIO and other business leaders, including our General Counsel. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above.
Our CIO has developed expertise in cybersecurity and compliance, enterprise architecture and road mapping, data and analytics, digital transformation and customer service through her 39 years of experience in the information technology space. She earned her computer science degree from Temple University and currently teaches in the Masters in Information Systems program at University of San Francisco. Our CISO has worked in cybersecurity for 25 years, including thirteen years as a CISO or deputy CISO. He is currently a Certified Information Systems Security Professional and holds an Information Systems Security
43
Architecture Professional sub-certification (CISSP-ISSAP). He also holds a masters of science degree in computer science, with an information security specialization from James Madison University.
44