Alteryx, Inc. - (AYX)
10-K Filing Date: February 06, 2024
Item 1C.
Cybersecurity.
Cybersecurity Risk Management and Strategy
Our management and board of directors recognize the critical importance of maintaining the trust and confidence of our customers, business partners and employees, including the importance of managing cybersecurity risks as part of our larger risk management program. While all personnel at our company play a part in managing cybersecurity risks, as discussed in more detail under “—Governance” below, our board of directors, through delegation to the audit committee of the board of directors, or the audit committee, and our senior management team are involved in the oversight of our cybersecurity risk management program. In general, we seek to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, integrity, and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Our information security program is aligned to our overall enterprise risk management program and utilizes an overarching framework to address enterprise information security governance, which seeks to protect information assets and systems against attacks and incidents while establishing appropriate security as a priority throughout the product development process. It is a risk-based program that aligns with industry-standard frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework and use of a Cyber Security Incident Response Team, to incorporate security principles applicable to our regulatory and contractual obligations. This program is managed by a dedicated Chief Information Security Officer, or the CISO, who reports to the Chief Executive Officer and oversees a team responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes.
Our CISO has over fifteen years of experience in information security, serving in roles of increasing responsibility within public and private companies. As part of our information security program, we have an incident response program that coordinates activities across multiple teams in responding to cybersecurity incidents in accordance with a defined Cyber Security Incident Response Policy. Each of these teams are managed by experienced and credentialed professionals with knowledge in their fields and the teams comprise a security operations center to detect, analyze, and escalate cybersecurity events, a cybersecurity incident response team to own containment and recovery activities, and a crisis response team to liaise with business stakeholders, secure priority resources, and validate completion of any post incident activities. These teams inform our CISO of all material events and key developments and coordinate with other teams, such as the Information Technology, Legal and Privacy teams, as appropriate for analysis and compliance with legal and contractual obligations. We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. We conduct initial due diligence on the cybersecurity profile of our vendors as they are onboarded and utilize third-party software to provide continuous monitoring and scanning of critical third-party infrastructure and to monitor any known breaches of those third-party systems. We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We also provide regular, mandatory training for our personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats and to communicate our evolving information security policies, standards, processes and practices.
We have in the past experienced, and may in the future experience, adverse impacts to our business strategy, operating results, and/or financial condition as a result of cybersecurity incidents. However, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business or our financial condition. If we were to experience a material cybersecurity incident in the future, such incident may have an adverse effect, including on our business operations, operating results, or financial condition. For more information regarding cybersecurity risks that we face and the related potential impacts on our business, see the risk factor titled “Cybersecurity risks and cyber incidents could result in the compromise of confidential data or critical data systems and give rise to potential harm to customers, remediation and other expenses under consumer protection laws or other laws or common law theories, subject us to litigation and federal and state governmental inquiries, damage our reputation, and otherwise be disruptive to our business and operations.”
76
Governance
The audit committee is responsible for reviewing with management our cybersecurity and other information technology risks, controls and processes, including the processes used to prevent or mitigate cybersecurity risks and respond to cybersecurity events. The CISO provides reports at least quarterly to the audit committee as well as to our Chief Executive Officer and other members of our senior management as appropriate. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. Our program is regularly evaluated by internal and external experts with the results of those reviews reported to senior management and the audit committee. We also actively engage with key vendors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. Our audit committee also receives prompt and timely information regarding cybersecurity threats or incidents that may be material in nature, as well as ongoing updates regarding any such threat or incident until it has been mitigated, resolved, or otherwise addressed. To mitigate the impact of any cybersecurity incidents, we maintain appropriate errors and omissions insurance that provides coverage for such incidents.