Salesforce, Inc. 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

Salesforce, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 16:32:48 EST.

Filings

10-K filed on 2024-03-06

Salesforce, Inc. filed an 10-K at 2024-03-06 16:32:48 EST
Accession Number: 0001108524-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As a global leader in CRM technology, our services involve the storage and transmission of our customers and our customers customers data. As such, we have in the past been, and likely will in the future be, the target of cybersecurity threats and other efforts to breach or compromise our services and underlying infrastructure. With trust as our foremost value and the foundation of everything we do, we recognize the importance of maintaining the safety and security of our systems and data, as our customers trust our technology to deliver the highest levels of security, privacy, performance, compliance and availability at scale. Management is responsible for the day-to-day administration of the Company s cybersecurity policies, processes, practices and risk management. The Board, including through its dedicated Cybersecurity and Privacy committee (the Committee ), oversees the various cybersecurity risks facing the Company and the Company s efforts to mitigate those risks. During the last fiscal year, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that materially affected the Company, including its business strategy, results of operations, or financial condition. However, we face ongoing and increasing cybersecurity risks, including from bad actors that are becoming more sophisticated and effective over time, as well as a result of potential defects or disruptions in our or our customers services. If realized, these risks are reasonably likely to materially affect the Company. Additional information on the cybersecurity risks we face is discussed in Part I, Item 1A, Risk Factors. Cybersecurity Risk Management and Strategy When a company purchases our service offerings, they gain a trusted digital advisor who will work together with them in efforts to protect customer data. We aim to provide the most secure and compliant enterprise cloud platform on the market and we work to build trust and in-depth defense into all of our systems. Among other things, we employ a diverse, experienced team of cybersecurity professionals, engage in community events and offer free online cybersecurity incident prevention training to enable our customers to focus on their business, knowing their data is safe and accessible as needed. We seek to address material cybersecurity risks through a company-wide approach that assesses, ranks and prioritizes cybersecurity threats, vulnerabilities and issues as they are identified to maintain the confidentiality, integrity and availability of our information systems and the information that we collect and store. The Company s cybersecurity policies, standards, processes and practices are informed by recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and an array of other applicable standards-setting bodies, which are integrated into a broader risk management framework and related processes. We also hold various security-related industry certifications and attestations that have been validated by external auditors, including SOC 1, SOC 2, SOC 3, ISO 27001, 27017 and 27018, CSA STAR and others. Leveraging threat intelligence and other signals, the Company undergoes periodic testing, audits and reviews of its policies, standards, processes and practices to identify, assess and address cybersecurity risks and events. The Company also undergoes routine internal and external penetration testing. The results of such tests and assessments are evaluated by management and periodically reported to the Committee. The Company further adjusts its cybersecurity policies, standards, processes and practices based on these results. The Company also publishes attestations of its various certifications, audits, and penetration tests on its global compliance webpage. Board Oversight and Governance As mentioned above, the Board established the Committee to provide dedicated oversight of cybersecurity-related management, strategy, initiatives, risks, threats and remediation activities. The Committee receives regular presentations, reports and updates from the Company s Chief Trust Officer ( CTrO ) and other members of management on developments regarding the Company s cybersecurity program, broader cybersecurity trends, evolving industry standards, the threat environment and other topics. After each quarterly meeting of the Committee, the Board receives a report from the Chair of the Committee with an update on the Company s oversight of cybersecurity risks and mitigation efforts. The Committee also receives periodic reports from an experienced outside consultant with information security expertise providing insights on key focus areas to aid in the Committee s oversight of the Company s cybersecurity program. The Company s processes also allow for the Board and the Committee to be informed of key cybersecurity risks outside the regular reporting schedule. While regular meetings of the Committee are scheduled on a quarterly cadence, the Committee is authorized to meet with management or individual directors at any time it deems appropriate to discuss matters relevant to the Committee. The Company s policy is for the Board and the Committee to receive prompt and timely information regarding any 35 Table of Contents cybersecurity risk (including any incident) that meets pre-established reporting thresholds, as well as ongoing updates regarding any such risk. Management Oversight and Governance The CTrO, reporting to the Company s Chief Engineering Officer ( C/E ), is responsible for designing and implementing a security program and strategy based on the mandate provided by the Board and senior management. The CTrO has extensive experience in the management of cybersecurity risk management programs, having served in various leadership roles in information technology and information security for over 15 years, including serving as the Chief Security Officer of two other large public technology companies. He also holds an undergraduate and master s degree in computer science. We believe the Company s business leaders, including our CEO, CFO, C/E and CLO, who have experience managing cybersecurity risk at the Company and at similar companies, have the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats. The CTrO, in coordination with other members of senior management, works collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to cybersecurity incidents in accordance with the Company s incident response and recovery plans. To facilitate the success of the Company s cybersecurity program, cross-functional teams throughout the Company are tasked with addressing cybersecurity threats and responding to cybersecurity incidents. Through ongoing communications with these teams, the CTrO and senior management are informed promptly about, and monitor the prevention, detection, investigation, mitigation and remediation of, cybersecurity threats. These teams are expected to operate pursuant to documented plans and playbooks that include processes for escalation of incidents to leadership and to the Committee and Board, as appropriate, based on the severity level of an incident. In addition, the Company periodically consults with outside advisors and experts to assist with assessing, identifying and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company s risk management environment. Specifically, management implements the Company s cybersecurity and risk management strategy across several areas: Identification and Reporting . The Company has implemented a robust, cross-functional approach to identifying, assessing and managing cybersecurity threats and risks. The Company s program includes controls and procedures designed to properly identify, classify, and escalate cybersecurity risks to provide management with visibility and prioritization of risk mitigation efforts and to publicly report material cybersecurity incidents when appropriate. Threat Intelligence . The Company maintains a Threat Intelligence team focused on profiling, intelligence collection, and threat analysis supporting the Company s ongoing efforts to identify, assess and manage cybersecurity threats. The team s input supports both near-term response to cybersecurity events, and long-term strategic planning and development of the Company s cybersecurity risk management framework. Technical Safeguards . The Company implements technical safeguards that are designed to protect both the Company s service offerings and other information systems we control from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, vulnerability management, encryption processes and access controls, all of which are periodically evaluated and improved through risk and control assessments and in response to cybersecurity threat intelligence as well as outside audits and certifications. Incident Response and Recovery Planning . The Company has established and maintains robust incident response, business continuity and disaster recovery plans designed to address the Company s response to a cybersecurity incident, including the public disclosure and reporting of material incidents in a timely manner. These plans and procedures serve to guide and document a rigorous incident response program that reflects the roles of an array of stakeholders, including personnel providing technical, operational, engineering, legal and other perspectives across the Company. The Company conducts regular tabletop exercises involving multiple operational teams, including senior management, to test these plans and to familiarize personnel with their roles in a response scenario. Third-Party Risk Management . The Company maintains a robust, risk-based approach to identifying and overseeing cybersecurity threats presented by certain third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact our business in the event of a significant cybersecurity incident affecting those third-party systems. Education and Awareness . The Company regularly provides employee training on security-related duties and responsibilities, including knowledge about how to recognize security incidents and how to proceed if an actual or suspected incident should occur. This training is mandatory for employees across the Company, and is intended to provide the Company s employees with effective tools to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes and practices. The Company maintains several 36 Table of Contents plans designed to prepare the Salesforce Security Response Center (SSRC) with the proper training, processes and capabilities needed to effectively respond to incidents.

Company Information