Backblaze, Inc. - (BLZE)
10-K Filing Date: March 30, 2024
Item 1C. Cybersecurity
Cybersecurity attacks impact businesses and organizations of all sizes and sectors on a global basis. At Backblaze, we recognize the importance of developing, implementing and maintaining a cybersecurity risk management program. Our customers rely on our solutions to store, use and protect their files, which may include confidential or personally identifiable information, critical business information, photographs, and other meaningful content. A successful cybersecurity attack could adversely affect the confidentiality, integrity, and availability of our information systems or any data residing therein. We dedicate significant effort and resources to protect our systems and data, as well as the data of our customers from cybersecurity threats. We are dependent on internal and external information technology systems and
30
infrastructure to securely process, transmit, and store critical information. Our Audit Committee is responsible for overseeing our cybersecurity, which represents an important component of the company’s enterprise risk management (“ERM”). We seek to reduce cybersecurity risks through a variety of cybersecurity risk management activities that are designed to identify, assess, manage and mitigate cybersecurity threats.
Risk Management Strategy
The company’s cybersecurity risk management program is focused on the following key areas:
•Governance: As more fully described in the section titled “Governance” below, the cybersecurity risk management program is led by our Chief Information Security Officer (“CISO”), with oversight from the Audit Committee of our Board of Directors and input from the Risk Management Advisory Committee (the “Risk Management Committee”). Our Risk Management Committee consists of our Chief Executive Officer, Chief Financial Officer, General Counsel and Chief Compliance Officer, CISO, other members of management, and other employees from selected key functions of the company.
•Approach: We use a cross-functional approach to identifying, preventing, assessing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that are designed to provide for the prompt escalation of cybersecurity incidents and support appropriate public disclosure and reporting of incidents as required in a timely manner. Our cybersecurity efforts include the use of risk-based administrative, technical, and physical controls. Backblaze has implemented an extensive set of policies, procedures, systems and tools designed to help safeguard our systems and data, including firewalls, endpoint protection, detection and response solutions, intrusion detection systems, access controls including multi-factor authentication, vulnerability scanning, software static analysis, dynamic analysis and software composition analysis tools, third party independent penetration testing, independent third-party control audits, a public bug bounty program, and other systems and processes.
•Incident Response Planning: We maintain an incident response plan that includes defined processes, roles, communications, responsibilities and procedures for responding to cybersecurity incidents and other events that impact our operations. Our incident response plans are tested and evaluated on a regular basis.
•Third-Party Risk Management: Our business relies on various services from third party service providers that could adversely impact the security of our systems and business. We have implemented processes designed to identify and assess cybersecurity risks associated with our use of third-party service providers. We generally conduct a security risk assessment based on the potential for harm prior to onboarding of any such new services and include security and privacy addenda to our contracts where applicable.
•Education and Awareness: We have established a security and privacy awareness program that runs throughout the year and includes training for all company personnel to enhance employee awareness of how to detect and respond to cybersecurity threats as well as more targeted training for company personnel that have increased responsibility for mitigating certain potential cybersecurity risks.
We regularly review and update our policies, procedures, processes and practices to address changes in the threat landscape and as a result of lessons learned from suspected, actual or simulated incidents. We also conduct tabletop exercises, and engage third party services to conduct evaluations of our security controls through penetration testing and independent audits. We also review industry best practices to assist in evaluating responses to new challenges and risks. These evaluations include testing both the design and operational effectiveness of security controls. The state of the cybersecurity program is also reported by the CISO to the Audit Committee.
Governance
Our Board of Directors, in coordination with its committees, with input from the Risk Management Committee, oversees our enterprise risk management process, including the risks arising from cybersecurity threats. Our incident response policies and procedures provide for prompt notice to key members of our management team and other company personnel of any incidents that could negatively impact the company’s systems or data. Our cybersecurity risk management program is managed by our CISO, whose security team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. Our CISO also regularly provides updates to the Audit Committee on our cybersecurity program, including recent developments, key initiatives to strengthen our systems, applicable industry standards, vulnerability assessments, third-party and independent reviews, and other information security considerations.
31
The Audit Committee also receives information regarding cybersecurity incidents, including prompt updates for any cybersecurity incidents that may be deemed material events impacting us and which might require public disclosure. Our CISO and other key personnel also frequently engage with key vendors, industry groups, and law enforcement communities as part of our continuing efforts to improve our cybersecurity program.
Experience
Our CISO has 30 years of experience working in cybersecurity, IT, governance, risk management, regulatory compliance, and data protection and privacy program design and implementation. He previously served as the Chief Information Security Officer at multiple federal healthcare contractor organizations, and also served as the Director of IT Security at a publicly traded international satellite radio company. He is an IAPP Fellow of Information Privacy and holds over 35 security, privacy, and risk management certifications.
Cybersecurity Risks
While we dedicate significant efforts and resources to our cybersecurity program, we may be unable to successfully identify threats, prevent attacks, satisfactorily resolve cybersecurity incidents, or implement adequate mitigating controls. Any breach of our network security and information systems or other cybersecurity-related incidents that results in, or may result in, the loss, theft or unauthorized disclosure of data, or any delay in determining the full extent of a potential breach, could have a material adverse impact on our business, results of operations, and financial condition, including harm to our reputation and brand, reduced demand for our solutions, time-consuming and expensive litigation, fines, penalties, and other damages. For example, as we previously disclosed, in December 2021, an industry-wide zero-day vulnerability was discovered in the Apache Log4j logging library commonly used by many companies throughout the world that could enable attackers to take control of vulnerable servers. Although we did not identify any unauthorized access to our systems due to the Log4j vulnerability, out of an abundance of caution and because Log4j was leveraged widely in our environment, we decided it was in our customers’ best interest to take our systems offline for a short period of time until we could apply the security updates. To date and except as otherwise may be noted in this Annual Report on Form 10-K, we do not believe that any cybersecurity threats, including as a result of any previous cybersecurity incidents have materially affected, or are reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition. For more information relating to cybersecurity risks and uncertainties, please see the risk factor entitled “If our information technology systems, including the data of our customers stored in our systems, are breached or subject to cybersecurity attached, our reputation and business may be harmed” in Part I, Item 1A, and other risk factors in this 10-K.