DigitalOcean Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

DigitalOcean Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:11:19 EST.

Filings

10-K filed on 2024-02-21

DigitalOcean Holdings, Inc. filed an 10-K at 2024-02-21 16:11:19 EST
Accession Number: 0001582961-24-000031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program, which includes administrative, technical and physical safeguards designed to maintain the confidentiality, integrity and availability of company and customer information. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas, including the involvement of cross-functional teams and, depending on the nature and severity of an incident, an escalation path to notify our executive and senior management teams and our board of directors (Board). We have an established process and playbook led by our chief information security officer (CISO) governing our assessment, response and notifications internally and externally upon the occurrence of a cybersecurity incident. We undertake periodic reassessments of the Company s risk profile and may make certain adjustments to our security controls based on such assessments to further enhance our security posture. Our cybersecurity risk management program includes: a risk assessment methodology designed to escalate cybersecurity risks to the appropriate channels within our organization in order to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment; a security department, including our CISO and experienced information systems security professionals and information security managers, divided into three teams: (1) security operations, which is responsible for 47 responding to abuse on our platform, digital forensics and incident response, and threat intelligence; (2) security engineering, which is responsible for security data analysis and observability on our infrastructure and product offerings; and (3) trust and governance, which is responsible for privacy and security regulatory compliance and risk management; a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents and escalating cybersecurity incidents to cross-functional teams, management and our Board of Directors (Board); deployment of technical safeguards that are designed to protect our platform, customers, employees and systems from cybersecurity threats. We maintain cybersecurity insurance that provides coverage for cyber breaches, cyber-crime, and related matters; the imposition of contractual obligations related to cybersecurity on our third-party vendors. In addition, we assess the security profile of those vendors that store, process or have access to sensitive data through questionnaires and data flow risk assessments; securing data going to third-party vendors and, depending on the nature of the services provided, the sensitivity of the data at issue and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider, including through the use of monitoring tools, threat intelligence tools, and data protection tools. We actively monitor, manage and configure our systems to protect our data against any vulnerabilities we find; continuous monitoring of our infrastructure network for vulnerabilities and threats through our security observability platform; a system to proactively identify risks that may threaten customer information and utilize both internal and external resources to perform a variety of vulnerability and penetration testing on the platforms, systems and applications used to provide our products and services; engagement of third party experts to assist in assessing, managing and reviewing various risks from cybersecurity threats and incidents, including to perform independent audits our data centers, to conduct adversary simulations and to perform network penetration tests periodically; mandatory periodic cybersecurity awareness training for all of our employees and consultants, covering key threats and measures to take to protect their own data and the data of the company in addition to role-specific training for security personnel; and a robust privacy practice governing information we collect from customers and how we use, share and store such customer data and implementation of measures to collect personal data only to the extent necessary to service our customers and to protect customer content data through limited access. Our cybersecurity risk management program is designed to be adaptable in order to respond to an evolving landscape of emerging threats and available technology. Our security controls and cybersecurity risk management program are evaluated through data gathering and analysis of emerging threats from internal and external incidents and technology investments. See the Part I, Item 1A. Risk Factors for a more comprehensive description of risks related to cybersecurity. Cybersecurity Governance Our Board has overall oversight responsibility for our risk management and delegated cybersecurity risk management oversight to the Audit Committee of the Board. The Audit Committee oversees management s implementation of our cybersecurity risk management program. Our CISO is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Audit Committee on a regular basis and briefing the full Board on cybersecurity risk oversight activities and preparedness efforts on an annual basis, as well as on an ad hoc basis upon request. Our Security teams have a wealth of cross-industry, government, and national defense experience. We employ qualified and certified security practitioners with specialized skill sets in security engineering, incident response, forensics, and threat management. Our CISO has more than a decade leading highly technical security teams that evolve with the technology and threat landscape. Our security and legal teams oversee our information security and privacy practices and are responsible for identifying and proactively addressing security and privacy risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and incident response plans and maintaining cybersecurity programs. We maintain an in depth incident response plan that includes a 48 process for identifying, containing and removing any threats and vulnerabilities and a plan to recover and restore normal business operations following an incident. Members of the security team are always on call to be able to address any issues that arise. In addition, we have created a cybersecurity materiality assessment team, which includes representatives from our security, legal, internal audit, communications and investor relations departments that reviews and assesses the impact of cybersecurity incidents on the company, our customers and other stakeholders. Our material assessment framework provides for an escalation path for any potentially material cybersecurity incidents from the security team to our CISO who may further escalate to the materiality assessment team, senior management and the Audit Committee. To ensure our preparedness to appropriately respond to cybersecurity incidents, the cross-functional team meets regularly and conducts simulations of cybersecurity incidents to test its procedures. Our executive and senior management teams, including our chief executive officer, chief financial officer and CISO, supervise these efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents and the risk assessments and disclosure required if cybersecurity incidents do arise, through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Company Information