HUBSPOT INC 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

HUBSPOT INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 16:31:11 EST.

Filings

10-K filed on 2024-02-14

HUBSPOT INC filed an 10-K at 2024-02-14 16:31:11 EST
Accession Number: 0000950170-24-015277

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity represents an important component of our overall approach to business strategy, risk management and financial oversight. Our board recognizes the critical importance of maintaining the trust and confidence of our customers, business partners and employees, and is actively involved in oversight of our risk management program. The board performs this oversight function at the full board level, as well as through its standing committees that address risks inherent in their respective areas of oversight. The audit committee is responsible for reviewing and assessing the quality and effectiveness of our cybersecurity policies, practices and procedures protecting our information technology systems, data, products and services across all business functions, and reporting its findings to the board, which has final oversight responsibility over cybersecurity-related matters. Our cybersecurity policies, standards, processes and practices are informed by industry-recognized standards. In general, we seek to address cybersecurity risks through a cross-functional approach that is designed to preserve the confidentiality, security and availability of the information that we collect and store. Cyber Risk Management and Strategy Under the board s and audit committee s oversight, we have implemented and maintain a risk management program that includes processes for the systematic identification, assessment and treatment (through mitigation, transfer, avoidance and/or acceptance) of cybersecurity risks. This risk management program addresses, but is not limited to, risks identified by internal auditors and assessors, threat intelligence providers, internal stakeholders, vulnerability management programs and security management programs. We also engage external independent assessors from time to time to conduct cyber risk assessments and to report both findings and recommendations to management. Risk assessments: Our security team, in coordination with our enterprise risk management team, conducts periodic risk assessments to identify and analyze the business and security risks, vulnerabilities, emerging technologies, laws and regulations. An internal audit team evaluates the results of these risk assessments to determine critical areas for review as part of our annual internal audit plan. The results of the internal audit plan are reported to the audit committee, and the security team manages and maintains remediation strategies for identified risks. Vendor risk management: As part of our risk management program, our vendor risk management teams are responsible for conducting due diligence on vendors submitted for risk evaluation where medium- or high-risk data is in scope. We require assessments of these third-party vendors prior to establishing a business relationship, and annually thereafter for high-risk vendors, as part of our efforts to require these vendors to maintain their commitments related to data security, availability and confidentiality. Our security team s assessment of vendors security controls and processes is calibrated to the risk level assigned to the vendor. Incident response : We employ a formal process to identify, track, prioritize and remediate cybersecurity incidents that may impact the confidentiality, integrity and availability of data stored and processed on our information systems. This process addresses event detection, triage and classification, investigation and escalation, containment and mitigation, recovery and corrective actions. We maintain a written incident response plan that establishes roles, responsibilities and procedures to guide incident response operations. Policies and procedures : Our security and legal teams actively participate in industry and other advisory groups and monitor regulatory requirements to keep apprised of evolving risks. Policies and procedures, including our Written Information Security Policy, are periodically updated to adapt to evolving business conditions and information technology requirements. We, like other companies in our industry, face a number of cybersecurity risks in connection with our business. Although risks from cybersecurity threats have to date not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats and security incidents relating to our and our third party vendors information systems. For more information, please see Item 1A, Risk Factors. Governance Related to Cybersecurity Risks Board oversight : Our board has final oversight responsibility over cybersecurity-related matters. The full board participates in interactive sessions with management, typically twice a year, dedicated to cybersecurity risks. These sessions, led by our Chief Information Security Officer (CISO), address a range of cybersecurity-related topics, such as recent developments related to the threat 43 landscape, security controls, vulnerability assessments, third-party reviews, technological trends and information security considerations arising with respect to our peers and third parties. The audit committee assists the board in fulfilling its oversight responsibilities with respect to the management of risks arising from cybersecurity threats, and our security team provides written reports to the audit committee for its review. The audit committee is responsible for reporting findings related to its review of these matters to the board. As appropriate, the board also receives information regarding cybersecurity incidents as well as ongoing updates regarding mitigation of any such incidents until they have been resolved. Management s role in assessing and managing cybersecurity risk : Our risk management program for cybersecurity is led by the HubSpot Security & Privacy Committee, which we refer to as the Committee. The Committee oversees our information and technology risk management, compliance, and control functions, and serves as a forum for the discussion of issues involving information security and risk management. The Committee s members include senior members of management who are responsible for and collectively have experience in information security, information technology, data protection, risk management and compliance. This collaboration helps us incorporate cyber risk management across all of our significant risk management programs. The Committee is chaired by the CISO, who works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. The CISO attends regular meetings with representatives from the legal, ERM and security teams to review newly identified cybersecurity risks and re-review previously identified risks. The Committee then determines how identified risks should be treated. The results of these risk review processes are included in periodic presentations to our executive leadership team and the audit committee. Our CISO has over seven years of experience running cybersecurity programs and also served as the leader of the cybersecurity team at his previous organization. Effective March 1, 2024, our CISO will be departing the Company, and our Deputy CISO will be promoted to the CISO role at that time. Our Deputy CISO has over 25 years of experience working in security and infrastructure for SaaS and hosted services. She has a master’s degree in cybersecurity and has maintained an active CISSP certification since 2012.The CISO reports to the Chief Technology Officer, who has overseen the cybersecurity team since 2020 and has led infrastructure teams at the Company for over 11 years.

Company Information