VARONIS SYSTEMS INC - (VRNS)
10-K Filing Date: February 06, 2024
Item 1C.Cybersecurity
Risk management and strategy
35
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, sensitive financial information and personal identifiable information (“Information Systems and Data”).
The Chief Information Security Officer (“CISO”) and the information security team that reports to the CISO help identify, assess and manage our cybersecurity and privacy threats and risks, including through the use of our external and internal risk assessments. The CISO and the information security team identify and assess risks from cybersecurity threats by monitoring and evaluating our networks, data and our risk profile using various methods including, among other things, manual tools, automated tools, analyzing reports of threats and actors, conducting scans of the computer networks, internal and/or external audits (including compliance audits with respect to ISO (27001, 27017, 27018, and 27701) for our corporate and cloud based software solutions and SOC 2, PCI DSS and HIPAA with respect to our cloud based software solutions), conducting assessments for potential internal and external threats, third-party-conducted risk assessments, conducting vulnerability assessments, third-party-conducted red/blue team testing and tabletop incident response exercises and subscribing to reports and services providing cybersecurity threat intelligence.
Depending on the environment, we implement and maintain various technical, physical and administrative processes, measures, standards and policies designed to manage and mitigate risks from cybersecurity threats to our Information Systems and Data, including, among other things, incident detection and response plan and procedures, a vulnerability management policy, disaster recovery/business continuity plans, risk assessments, cryptography, network security controls, secured remote access, access controls, change management, physical security, asset management, secured software development lifecycle, logging and monitoring, third-party risk management programs, security awareness trainings, third-party- and company penetration testing, cybersecurity insurance and dedicated cybersecurity staff. We use our own software to help further mitigate the risk of a material cybersecurity incident. In addition, our Varonis Data Security Platform is deployed internally as part of our insider threat, data security posture, security operations and compliance management programs.
Our assessment and management of material risks from cybersecurity and privacy threats are integrated into our overall risk management processes. For example, cybersecurity risk is addressed as a component of our enterprise risk management program and identified in our risk register. In addition, the information security team works with management to prioritize our risks that are more likely to have a material impact on our business and our CISO evaluates material risks from cybersecurity threats against our overall business objectives and reports to the technology committee of the board of directors (the “technology committee”) and the board of directors. In addition, the audit committee of the board of directors (the “audit committee”) oversees our overall enterprise risk management program and receives semi-annual updates on cybersecurity and privacy threat-related risks as part of such program.
We use third-party service providers to assist us from time to time to identify, assess and manage material risks from cybersecurity threats, including, among other things. cybersecurity consultants, cybersecurity software providers, penetration testing firms and other professional services firms.
We use third-party service providers to perform a variety of functions throughout our business, such as SaaS providers and cloud hosting companies. We have a vendor management program designed to manage cybersecurity and privacy risks associated with our use of these providers. The program includes risk assessments for vendors security questionnaires, review of the vendor’s written security program, review of security assessments and reports, audits, and vulnerability scans related to the vendor and imposition of information contractual obligations on the vendor. Depending on the nature of the services provided, the sensitivity of the information systems and data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity and privacy on the provider.
For a description of the risks from cybersecurity threats that may have a material affect on us, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “Security breaches, cyberattacks or other cyber-risks of our IT and production systems could expose us to significant liability and cause our business and reputation to suffer and harm our competitive position.”
Governance
Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The technology committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of
36
risks from cybersecurity threats. The technology committee meets quarterly with members of management, including our CISO, Chief Information Officer ("CIO"), Chief Technology Officer or Senior Vice President of Engineering, as applicable, to discuss cybersecurity developments, significant cybersecurity threats and risks and the processes we have implemented to address them. The audit committee also receives presentations related to cybersecurity threats, risk and mitigation on a semi-annual basis unless more frequent discussions are necessary. The board of directors also receives a presentation from our CISO or CIO on our cybersecurity measures and risks at least annually.
Our cybersecurity risk assessment and management processes are implemented and maintained by our CISO. Guy Shamilov, our CISO for the last seven years, has been a chief information security officer for eight years and is certified by Certified Information Systems Security Professional (CISSP), among other technical certifications he holds with respect to cybersecurity. He has worked over the last twenty years in the security industry, and prior to working with us, he was CISO of Tata Consultancy Services, Deputy Chief Information Security Officer of Traiana, Information Security Manager of Logic Industries, Senior Information Security Specialist of Migdal Group and Information Security and System Administrator at Matrix. Our CISO oversees the implementation and compliance of our information security standards and mitigation of information security related risks.
Our CISO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy and communicating key priorities to relevant personnel. Our CISO is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes and reviewing security assessments and other security-related reports.
Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including Security Management, the Chief Executive Officer, the Chief Financial Officer, the General Counsel, the CIO and other senior members of the Company. Such individuals work with our incident response team to help us assess, mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response plan includes reporting to the technology committee of the board of directors for certain cybersecurity incidents.