APPFOLIO INC - (APPF)

10-K Filing Date: February 01, 2024
ITEM 1C. CYBERSECURITY
Our business involves the storage and transmission of a significant amount of confidential and sensitive information. As a result, we take the confidentiality, integrity, and availability of this highly sensitive information seriously and invest significant time, effort, and resources into protecting such information. Our cybersecurity strategy was designed with the foregoing principles in mind and prioritizes detecting and responding to threats and effective management of security risks.
To implement our cybersecurity strategy, we maintain various safeguards to secure the data we hold, including encrypting sensitive data, utilizing a robust 24/7/365 security monitoring system, regularly assessing product features for security vulnerabilities, periodically conducting internal penetration tests, and providing our customers with multi-factor authentication options to help them effectively protect their information. We also have data and cybersecurity protection and
18


control policies to facilitate a secure environment for sensitive information and to ensure the availability of critical data and systems. We have processes in place to assess and manage vendor cybersecurity risks, which include initial and periodic security program reviews and, in cases where personal information is shared, ongoing cybersecurity and privacy obligations that are documented in data processing agreements. We engage independent third parties to audit our adherence to our cybersecurity policies and conduct infrastructure and application security assessments and penetration testing. These third parties help us assess our internal preparedness, adherence to best practices and industry standards, and compliance with applicable laws and regulations as well as help us to identify areas for continued focus and improvement. We conduct annual information security awareness training for employees involved in the systems or processes connected to confidential and sensitive information. We also carry insurance that provides certain, limited protection against potential losses arising from a cybersecurity incident.
The Risk and Compliance Oversight Committee of our Board of Directors (the "RCOC") is responsible for overseeing and reviewing AppFolio's cybersecurity program and cybersecurity risk exposure and the steps taken to monitor and mitigate such exposure. The RCOC updates the full Board of Directors on cybersecurity matters as appropriate.
Our information security team is led by our Chief Information Security Officer ("CISO"), who has served in the role since 2015 and has experience in application security, intrusion detection, penetration testing, complex threat modeling, and unconventional cyber-attack vectors. The CISO oversees a team of information security professionals who are devoted full time to assessing and managing cybersecurity threats on a day-to-day basis. The CISO attends each quarterly meeting of the RCOC to brief members on information security matters and discuss cybersecurity risks generally.
In addition, our management team has established an Enterprise Risk Management Program (the "ERM Program"), which includes processes designed to identify, assess, categorize, and monitor key current and evolving risks facing AppFolio, including cybersecurity risks. Management is made aware of current and evolving cybersecurity risks through ERM Program reporting. Furthermore, in the event of a material or potentially material cybersecurity event, senior members of management are promptly informed of such event and oversee triage, response, and disclosure efforts pursuant to the terms of a documented incident response plan.
Notwithstanding the foregoing efforts, there can be no assurance that the security measures we employ will prevent malicious or unauthorized access to our systems or information. No security program can entirely eliminate the risk of human error, such as an employee or contractor’s failure to follow one or more security protocols. Like many other businesses, we have experienced, and are continually subject to, cyber-attacks. While these past cyber-attacks have not materially affected or, in our belief, are reasonably likely to materially affect us, future cybersecurity incidents and threats may materially affect us, including by affecting our business strategy, results of operations, or financial condition. See Item 1A., "Risk Factors" for additional details regarding cybersecurity risks.