Fortinet, Inc. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Fortinet, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 18:25:06 EST.

Filings

10-K filed on 2024-02-23

Fortinet, Inc. filed an 10-K at 2024-02-23 18:25:06 EST
Accession Number: 0001262039-24-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Our board of directors recognizes the critical importance of maintaining the trust and confidence of our customers, end users, business partners, stockholders and employees. Our board of directors is actively involved in oversight of our risk management program, and information and product security represent an important component of our overall approach to enterprise risk management ( ERM ). Our risks from cybersecurity threats are considered in conjunction with other risks in our ERM program. In addition, we leverage a cybersecurity-specific risk assessment process and strategy based on the NIST Cybersecurity Framework to manage risks to organizational operations and assets, individuals and other organizations associated with the operation and use of systems. Risk assessments are periodically conducted to identify threats and vulnerabilities, and then used to determine the likelihood and impact for each risk using a qualitative risk assessment methodology. In general, we seek to address cybersecurity risks through a broad, cross-functional approach that is focused on 43 Table of Contents preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Governance The Audit Committee of our board of directors (the Audit Committee ) is responsible for reviewing with management our cybersecurity and other information technology risks, controls and processes, including the processes used to prevent or mitigate cybersecurity risks and respond to cybersecurity events. Our executives with responsibility over cybersecurity provide quarterly reports to the Audit Committee as well as to the Chief Executive Officer and other members of our senior management as appropriate. These reports include updates on our cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program and the emerging threat landscape. Our program is regularly evaluated by internal and external experts with the results of those reviews reported to senior management and the Audit Committee. We also actively engage with key vendors, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. The Audit Committee also receives prompt and timely information regarding any cybersecurity threat or incident that meets established reporting thresholds, as well as ongoing updates regarding any such threat or incident until it has been mitigated, resolved or otherwise addressed. We believe our systems and processes with respect to the management of risks associated with cybersecurity threats are adequate. We have experienced, and may in the future experience, adverse impacts to our operations as a result of cybersecurity incidents. However, to date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business strategy, operating results, and/or financial condition. If we were to experience a material cybersecurity incident in the future, such incident may have a material effect, including on our business strategy, operating results or financial condition. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see our risk factors, including our risk factor titled If our internal enterprise IT networks, on which we conduct internal business and interface externally, our operational networks, through which we connect to customers, vendors and partners systems and provide services, or our research and development networks, our back-end labs and cloud stacks hosted in our data centers, colocation vendors or public cloud providers, through which we research, develop and host products and services, are compromised, public perception of our products and services may be harmed, our customers may be breached and harmed, we may become subject to liability, and our business, operating results and stock price may be adversely impacted. Risk Management and Strategy As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas: Governance: As discussed in more detail above under the heading, Governance, our board of directors oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with executives with responsibility for cybersecurity, our Chief Executive Officer, Chief Technology Officer and President, Chief Financial Officer, Chief Operating Officer/General Counsel and other members of management. Management is promptly updated regarding any significant security events and the Audit Committee regularly reviews updates from our information security and product security leaders about cyber threat response preparedness, security controls and procedures, security program maturity milestones, risk and approaches to risk mitigation and the current and emerging threat landscape. In addition, all members of our board of directors receive management s cybersecurity updates to the Audit Committee as part of their regular attendance at meetings of our board of directors. Collaborative Approach: We have implemented a broad, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. In addition, we manage a cross-functional program across our engineering, manufacturing and technical services teams, together with our suppliers and channel partners, designed to ensure the proper security of our products from design through manufacture and shipment. Information Security: We implement organizational, administrative and technical measures based on commercially reasonable procedures using: (i) industry standard information security measures prescribed for use by NIST; (ii) security measures aligned with the ISO/IEC 27000 series of standards, (iii) Sarbanes-Oxley and SSAE 18/ISAE 3402; (iv) privacy regulations such as the GDPR and the CCPA; (v) business continuity management measures aligned with the ISO/IEC 22301 standard; and (vi) other generally recognized industry standards, in each case, designed to safeguard the confidentiality, integrity, and availability of our infrastructure and data and the resiliency of our operations. 44 Table of Contents Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: We have established and maintains broad incident response and recovery plans that help enable its effective and orderly management of, and response to, any identified security incidents, including escalation and internal and external-notification steps, allowing the incident response team to respond in a timely manner and enlist appropriate personnel and third-party experts. We maintain a process to promptly assess and assign severity levels to any identified security incidents in order to prioritize their importance and promptly direct resources to those issues of potentially greater impact. The notification plan establishes steps to alert external stakeholders as appropriate, including law enforcement, regulatory bodies, investors, customers and other business partners. Third-Party Risk Management: We maintain a broad, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. In addition, our Trusted Supplier Program is designed to ensure manufacturing partners undergo a selection and qualification process that adheres to NIST 800-161. Education and Awareness: We provide regular, mandatory training for personnel and contractors regarding cybersecurity threats as a means to equip Fortinet personnel with effective tools to address cybersecurity threats and to communicate Fortinet s evolving information security policies, standards, processes and practices. Risk and Readiness Assessments: We engage in the periodic assessment and testing of our policies, standards, process es and practices that are designed to identify vulnerabilities and weaknesses, address cybersecurity threats and test its readiness to respond to cyber security incidents. These efforts include a wide range of activities, including threat modeling, a variety of vulnerability and configuration scans, penetration testing, audits, tabletop exercises and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness and penetration tests. The results of such assessments, audits and reviews are reported to the Audit Committee and our board of directors and to our management, and we adjust its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews . Insurance: We maintain information security risk insurance coverage.

Company Information