Sprout Social, Inc. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Sprout Social, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:01:59 EST.

Filings

10-K filed on 2024-02-23

Sprout Social, Inc. filed an 10-K at 2024-02-23 16:01:59 EST
Accession Number: 0001517375-24-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a cloud service provider, Sprout Social believes keeping data secure is important and takes steps designed to do so. Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical infrastructure, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and data related to our employees and customers ( Information Systems and Data ). Sprout Social maintains an overarching security program comprised of several teams including (1) Security Operations, (2) Information Technology, (3) Application Security, (4) Infrastructure Security, and (5) Governance, Risk, and Compliance. Together, these teams help identify, assess and manage the Company s cybersecurity threats and risks using various methods including, for example, internal and external audits, automated and manual tools, threat assessments for internal and external threats, software and services that identify cybersecurity threats, third party threat assessments, a vulnerability management policy and program, incident response exercises, and, evaluating threats reported to us through an external bug bounty program. Our security program is designed to align with the ISO 27001 (International Organization for Standardization) standard, incorporates elements from the National Institute of Standards and Technology (NIST), and is regularly reviewed and audited by independent external third-party auditors. Depending on the environment, as part of our security program, we have implemented and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example, a general information security policy, incident response plan and incident response policy, data classification, protection, retention, and destruction policy, server protection and logging standards, vulnerability management program, vendor selection and security standard, business continuity and disaster recovery plan, employee onboarding, offboarding, and access escalation policy, risk management and audit policy, regular penetration testing of certain networks, maintaining industry recognized certifications, cybersecurity insurance, and dedicated cybersecurity staff. Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. For example, cybersecurity risk is addressed as a component of the Company s enterprise risk management program and identified in the Company s risk register. Also, the security team works with management to identify, discuss, and prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. In addition, we use third-party service providers to assist us from time to time in reviewing our policies, standards and procedures, identifying and assessing material risks from cybersecurity threats, and making recommendations to improve our security program including for example professional services firms, external legal counsel, penetration testing firms, cybersecurity consultants, and cybersecurity software providers. We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, and other types of third-party service providers for critical business operations. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process 55 may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the section of our risk factors titled, Risks Related to the Use of Technology. Governance Our overarching security program, enterprise-wide cybersecurity strategy, risk management program, and related security policies, standards, and processes are managed by the Vice President of Information Technology, Security, and Compliance and the Chief Technology Officer. They are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company s business strategy, communicating key priorities to relevant personnel, approving budgets, preparing for cybersecurity incidents, approving cybersecurity policies, and reviewing internal and external security assessments and other security-related reports. They also report on our risk management program, overall security posture, progress on maturing the security program, and new or emerging risks to senior management and the Board of Directors as applicable and on a regular basis. Our Board of Directors addresses the Company s cybersecurity risk management as part of its general oversight function. The Board of Directors is responsible for overseeing Company s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management based on predefined criteria, including, for example, to our Vice President of Information Technology, Security, and Compliance, General Counsel, and CTO. Senior managers work with the Company s incident response team to help the Company mitigate and remediate certain cybersecurity incidents of which they are notified. In addition, the Company s incident response plan includes reporting to the Board of Directors, regulators, and law enforcement for certain cybersecurity incidents.

Company Information