Pure Storage, Inc. - (PSTG)

10-K Filing Date: March 30, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We have implemented and maintain various processes to identify, assess, prioritize, manage, and report on cybersecurity risks that could result in loss or other adverse consequences to Pure Storage. We maintain a variety of channels designed to identify risks, including risks associated with our use of third-party service providers, such as by conducting vulnerability assessments, reviewing audit findings, discussing with key stakeholders, and analyzing security incidents and reports from our employees and others.
We maintain procedures and processes designed to evaluate and respond to certain identified risks. We assess potential adverse impact across a variety of factors, such as financial, product roadmap, brand and reputation, operational performance, and our ability to comply with applicable laws and regulations. Potential responses for cybersecurity risks are:

Avoiding activities or situations that could lead to harm.
Engaging in preventative measures, safety protocols, and security enhancements.
Allocating risk through contract or insurance.
Developing contingency plans to address potential negative outcomes associated with cybersecurity risks if they occur.
Our cybersecurity program is integrated into our broader enterprise risk management framework. For example, certain members of our executive management evaluate material risks from cybersecurity threats against our overall business objectives and report to our Audit and Risk Committee (Audit Committee) of the Board of Directors, which evaluates our overall enterprise risk.
We use third-party service providers to assist us from time to time in an effort to identify, assess, and manage material risks from cybersecurity threats. These service providers provide services such as threat intelligence and dark web monitoring. In addition, we engage independent third parties (such as assessors or consultants) to periodically assess the capability and maturity of our cybersecurity program.
Our Governance, Risk, and Compliance (GRC) team oversees our third-party cybersecurity risk management program, which evaluates the security posture of certain third-party vendors. Our assessments may include the collection and verification of various cybersecurity measures implemented by our third-party vendors. Depending upon the third-party vendor as well as the data and information systems to which the vendor will have access, the GRC team may review the vendor’s information security policies and standards, examine the vendor’s certifications and attestations, and review vulnerability assessments or other evaluations.
For a description of the risks from cybersecurity threats that may materially affect our company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the risk factor entitled “If our security measures, or those maintained on our behalf, are compromised, or the security, confidentiality, integrity or availability of our information technology, software, services, networks, products, communications or data is compromised, limited, or fails, our business could experience a material adverse impact, including without limitation, a material interruption to our operations, harm to our reputation, a loss of customers, significant fines, penalties and liabilities, or breach or triggering of data protection laws, privacy policies or other obligations."
Governance
Our Board of Directors addresses the company’s cybersecurity risk management as part of its general oversight function. Our Audit Committee is responsible for overseeing the company’s cybersecurity risk management program, including mitigation of risks from cybersecurity threats. In addition, we have established an Executive Security Council (ESC). The ESC oversees and governs our cybersecurity program.
34


Our cybersecurity program is implemented and maintained by the Pure Security Office (PSO), a team of security professionals responsible for developing and implementing an information security program designed to protect our assets, including data, networks, applications and people, from cyber threats. The PSO includes individuals with expertise in the following areas and who continue to leverage such expertise at the company in the following manners:
Governance, Risk & Compliance (GRC). Maintaining cybersecurity policies, standards, and processes in place and providing training to our employees on them.
Security Operations. Monitoring our critical systems and assets, and that we are able to identify and respond to security incidents in a timely manner.
Security Engineering & Architecture. Implementing risk-based security controls.
Product Security. Supporting our product teams’ security objectives by providing design review, certification management, penetration testing, and consulting services, as well as operating security vulnerability management and reporting dashboard capabilities.
Enterprise resiliency. Developing policies, procedures and practices for critical operations recovery and business continuity in the event of a cybersecurity incident.
The PSO reports to our Audit Committee and ESC on cybersecurity risks. Our Chief Information Security Officer (CISO) meets with the ESC and Audit Committee periodically in an effort to review the company’s cybersecurity risks, the company’s prevention, detection and remediation efforts of cybersecurity incidents (as appropriate), and key cybersecurity performance indicators. We also maintain procedures designed to escalate certain cybersecurity risks and incidents to members of executive management and the board of directors, as appropriate.