ServiceNow, Inc. 10-K Cybersecurity GRC - 2024-01-25

Page last updated on April 11, 2024

ServiceNow, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-01-25 16:59:25 EST.

Filings

10-K filed on 2024-01-25

ServiceNow, Inc. filed an 10-K at 2024-01-25 16:59:25 EST
Accession Number: 0001373715-24-000030

Item 1C. Cybersecurity.

Cyber criminals are becoming more sophisticated and effective every day, and they are increasingly targeting enterprise software companies. All companies utilizing technology are subject to threats of breaches of their cybersecurity programs. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management and make securing the data customers and other stakeholders entrust to us a top priority. Our board of directors (the “Board”) and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Although our Risk Factors include further detail about the material cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.

Risk Management and Strategy

Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards. Our cybersecurity program in particular focuses on the following key areas:

Collaboration

Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner.

Risk Assessment

At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee and members of management.

Technical Safeguards

We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience.

Incident Response and Recovery Planning

We have established comprehensive incident response and recovery plans and continue to regularly test and evaluate the effectiveness of those plans. Our incident response and recovery plans address - and guide our employees, management and the Board on - our response to a cybersecurity incident.

Third-Party Risk Management

We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.

Education and Awareness

Our policies require each of our employees to contribute to our data security efforts. We regularly remind employees of the importance of handling and protecting customer and employee data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats.

External Assessments

Our cybersecurity policies, standards, processes and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. For example, in 2022 and 2023, we conducted independent cyber audits to assess our controls against the NIST Cybersecurity Framework. The results of significant assessments are reported to management, the Board and Audit Committee. Cybersecurity processes are adjusted based on the information provided from these assessments. We have also obtained industry certifications and attestations that demonstrate our dedication to protecting the data our customers entrust to us.

Governance

Board Oversight

Our Board, in coordination with the Audit Committee, oversees our management of cybersecurity risk. They receive regular reports from management about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Our Audit Committee directly oversees our cybersecurity program. The Audit Committee receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents.

Management’s Role

Our chief information officer (“CIO”), chief information security officer (“CISO”), chief technology officer (“CTO”), and General Counsel have primary responsibility for assessing and managing material cybersecurity risks and are members of management’s Security Steering Committee (the “Security Committee”), which is a governing body that drives alignment on security decisions across the Company. The Security Committee meets quarterly to review security performance metrics, identify security risks, and assess the status of approved security enhancements. The Security Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies.

Our CIO has served in various roles in information technology and information security for over 20 years, including serving as the Chief Information Officer or Chief Technology Officer of three other public companies. He holds an undergraduate degree in computer engineering. Our CISO has served in various roles in information technology and information security for almost 20 years, including serving as the Chief Information Security Officer or Chief Security Officer at two other large public companies. He holds an undergraduate and master’s degree in computer science. Our CTO has served in various roles in information technology for over 25 years and has been with us since 2011. Our General Counsel has over 20 years of experience managing risks, including risks arising from cybersecurity threats, at several large publicly-traded technology companies.

Item 1A. Risk Factors.

Actual or perceived cybersecurity events experienced by us or our third-party service providers may create the perception that our platform is not secure, and we may lose customers or incur significant liabilities, which would harm our business, financial condition and operating results.

In the ordinary course of our business, we store, transmit, generate, and process our and our customers’ confidential, proprietary and sensitive data. As our business expands across the globe, the number of employees, contractors, vendors and other third parties remotely accessing our systems continues to grow. Our growing business operations increase our exposure to cyberattacks by a range of actors, who have used and will continue to use assorted tactics, techniques, and procedures, including malicious code, ransomware, social engineering, business email compromises, supply chain attacks, denial of service attacks and similar internet-enabled, fraudulent activity. Further, during times of war and other major conflicts, we and our third-party providers may be vulnerable to a heightened risk of geopolitically motivated attacks, including cyberattacks, that could materially disrupt our systems and operations, supply chain and ability to provide our services.

The cybersecurity threats are not limited to actors operating in the systems we control directly. Our increasing reliance on third-party providers and public cloud infrastructure introduces new cybersecurity risks to our business operations. We rely on third-party service providers and technologies to operate business systems in a variety of contexts, and supply chain attacks have increased in frequency and severity. While we have a vendor security review process, we cannot guarantee that our third-party service providers or our supply chain infrastructure have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our platform, systems and network or the systems and networks of third parties that support us and our business. Our ability to monitor the data security measures of our third-party providers is limited, and we necessarily depend in part on our providers to have in place and maintain adequate security measures to protect against unauthorized access, cyberattacks and the mishandling of data. Further, employee error or malfeasance in configuring, maintaining and using these services could impact our ability to monitor and secure them effectively.

While we have identified vulnerabilities in our products and services in the past and will continue to do so in the future, we cannot be certain that we will be able to identify all vulnerabilities or address the vulnerabilities of which we become aware. Further, there have been delays and may continue to be delays in developing patches that can be effectively deployed to address vulnerabilities. Third parties have, in the past, actively searched for and exploited actual and potential vulnerabilities in our software and will do so in the future. Moreover, the incorporation of third-party or open-source software code into our or our customers’ systems increases the risk of exploitation of vulnerabilities, such as the vulnerability in the Java logging library known as “log4j” that affected our industry. We also have inherited and may in the future inherit additional security risks from acquiring or partnering with other companies.

In most instances, our customers are responsible for administering access to the data held in their particular instance for their employees and service providers. While our software is delivered with certain preset configurations, we understand that our customers require flexibility to configure the Now Platform to their specific business needs. We work closely with our customers to help them evaluate their security configurations, including providing guidance to align configuration settings with their business needs. Yet, in configuring our platform, both our employees and customers have made errors in the past and may do so again in the future. We are aware that, on occasion, our customers and ServiceNow have configured certain settings on our platform, or retained preset configurations, in a manner not aligned with their preferred security levels, which can result in, and has resulted in, information being made more widely accessible than intended. Such misconfigurations can be, and have been, identified publicly, increasing the risk of data being exposed unintentionally.

While we have security measures and a data governance framework in place designed to protect our and our customers’ information and prevent data loss, these measures may not be effective at preventing material breaches caused by intentional or unintentional actions or inactions by employees, contractors or third parties. Techniques used to sabotage or to obtain unauthorized access to systems are constantly evolving and may go undetected until a successful attack occurs. Moreover, we have experienced security incidents, which may reoccur in the future, that resulted in unauthorized access to, loss, or inadvertent disclosure of confidential, proprietary and sensitive information. We have observed attempts by third parties to induce or deceive our employees, contractors or users to fraudulently obtain access to our or our customers’ data or assets. Further, our employees have fallen victim to phishing attacks in the past and may again in the future.

An actual or perceived security breach can have a material effect on ServiceNow’s operations, finances and reputation. The adverse consequences can include accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to data; disruptions to our services; diversion of funds; litigation; indemnification and other contractual obligations; regulatory investigations; government fines and penalties; reputational damage; negative publicity; loss of sales, customers, and partners; mitigation and remediation expenses; and other material costs and liabilities. In addition, the assessment and response to security incidents, as well as implementation of appropriate safeguards to protect against future incidents, can lead to material economic and operational consequences. These consequences can result regardless of whether the incident is suffered by us, affects our third-party service providers or stems from customers action or inaction. Moreover, even if a breach is unrelated to our security programs or practices, it could still cause us reputational harm and require us to undertake significant efforts to assess and respond to the breach, including further protecting our customers from their own vulnerabilities. There can be no assurance that any limitations of liability provisions in our subscription agreements, terms of use or other agreements would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. In addition, while we maintain insurance coverage, we cannot be certain that such coverage will continue to be available on acceptable terms or in sufficient amounts to cover potential losses from a security incident or that an insurer will not deny coverage as to any future claim.

Company Information