Atlassian Corp - (TEAM)
10-K Filing Date: August 16, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan.
We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) and Secure Software Development Framework (“SSDF”). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF and SSDF as guides to help us identify, assess, and manage cybersecurity risks relevant to our business.
Cybersecurity risks are incorporated into our overall enterprise risk management program. Our Chief Trust Officer (“CTrO”), who oversees our Trust and Security organizations and reports directly to our Chief Technology Officer (“CTO”), is responsible for overseeing the identification, assessment and management of cybersecurity risks relevant to our business.
Our cybersecurity risk management program includes, among other elements:
•Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment.
•A Security team, principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents.
•The use of external service providers, where appropriate, to assess, test, respond to or otherwise assist with aspects of our security controls, as well as maturity assessments of our cybersecurity program.
•Implementation of new hire and annual data privacy and cybersecurity training of all employees, including senior management; annual role-based training for employees in specific incident response roles, as well as for employees with specific access to systems, devices, or locations, and targeted cybersecurity incident simulation training held on a recurring basis.
•Incident response playbooks and standard operating procedures outlining procedures for detecting, responding to, and mitigating cybersecurity incidents. Depending on the nature and severity of an incident, responses may involve escalating notification to our Co-Chief Executive Officers and our board of directors.
44
•Post incident reviews are conducted for major incidents, and to determine steps that may be taken to mitigate identified risks and reduce the likelihood of reoccurrence.
•A third-party risk management process for service providers, suppliers, and vendors. Such service providers are subject to risk tiering, security risk assessments, and recurring reviews, including investigation of security incidents that have impacted our third party service providers, as applicable.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, whether individually or in the aggregate, have materially affected or are reasonably likely to materially affect us, our business, and our results of operations in Part I, Item 1A in this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.
Cybersecurity Governance
Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to the audit committee oversight of cybersecurity and other information technology risks. The audit committee of the board of directors oversees management’s implementation of our cybersecurity risk management program. Our CTrO provides updates on significant risks to the audit committee. Our audit committee reports to the full board of directors regarding its activities, including those related to cybersecurity. The CTrO also provides updates to the full board of directors at least biannually. Outside of regular meetings, depending on the nature and severity of an incident, our CTrO will also inform the audit committee and the board of directors of significant cybersecurity incidents.
Our CTrO leads our Trust and Security organizations, which are responsible for assessing and managing cybersecurity risks. Our CTrO, who has served in his role since October 2023, has extensive experience in the cybersecurity space, including previously serving as Chief Trust Officer of another large publicly-traded enterprise software company. He oversees our efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal personnel, threat intelligence, and other information obtained from governmental, public, or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment.
Within the Trust and Security organizations, we implement a structured approach to proactively manage cybersecurity risks. Our Security Governance, Risk and Compliance team monitors, assesses, and coordinates proactive identification and remediation efforts for all cybersecurity risks impacting Atlassian. This team partners cross-functionally with others in our Security organization and individuals from our legal, internal audit, engineering, and product development teams. Our Security team includes individuals with experience across a broad range of cybersecurity areas, including, but not limited to: product security; cloud security; infrastructure security; security monitoring and incident response; identity and access management; vulnerability management; and governance, risk, and compliance.