SecureWorks Corp 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

SecureWorks Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 16:20:47 EDT.

Filings

10-K filed on 2024-03-22

SecureWorks Corp filed an 10-K at 2024-03-22 16:20:47 EDT
Accession Number: 0001468666-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a provider of cybersecurity offerings, we understand that threat actors are increasingly becoming more sophisticated and extremely effective at compromising information and operational technologies. As this trend continues, it is vital that we have processes in place to timely and accurately detect, mitigate, respond to, and remediate cybersecurity incidents, threats or vulnerabilities that may create a material risk to our Company, that could, if the risk occurs, materially impact our Company, including, but not limited to, our financial condition and results of operations. For additional information regarding the variety of material risks we may face, including, but not limited to, those that relate to cybersecurity, refer to Part I Item 1A Risk Factors in this report. While our enterprise risk management program considers cybersecurity risks alongside other significant business risks, we also maintain robust cybersecurity processes, technologies, and controls to aid our efforts to identify, assess, and manage material risks posed to our Company. Annually, we conduct an information security risk assessment, and we periodically review our security architecture and assess third-party vendors that we use. We continuously monitor for security risks and vulnerabilities posed by the technological tools and people enabled processes we utilize. In addition, we employ a range of tools and services, including network and endpoint monitoring, third-party penetration testing, and periodic tabletop exercises to ensure timely discovery of, response to, and remediation of, security incidents. While we assess and monitor for security risks and vulnerabilities posed by our critical third parties, including our third-party vendors and service providers, our control over the security posture of our critical third parties is limited, and there can be no assurance that our assessment and monitoring of such third parties will prevent or mitigate the risk of any compromise or failure in the information assets they own or control. Our internal security controls are designed to align with standards set by the National Institute of Standards and Technology, or NIST, and the International Organization for Standardization, or ISO. In addition, our security processes are assessed by the Federal Financial Institutions Examination Council, or FFIEC, due to our status as a cybersecurity provider to several financial institutions and financial services organizations. Our security processes also are tested or assessed in accordance with the Sarbanes-Oxley Act of 2002, compliance obligations under the Service Organization Control Type 2 auditing procedure, or SOC2, and applicable privacy laws, both in the United States and internationally. Our internal security controls and our cybersecurity processes, technologies, and controls are governed by the Company s Chief Security Officer and Chief Information Security Officer, or CISO, who reports quarterly on security matters, including cybersecurity, to the Company s internal Enterprise Risk Committee. Our CISO has been with us since 2011 and has worked in cybersecurity for over 21 years. In addition, as a provider of cybersecurity offerings, we employ numerous leaders who have experience in the cybersecurity industry. All Company employees must complete required annual information security and privacy training, which are reviewed and updated annually. They also receive ongoing security awareness education through emails, presentations, and other available training materials on our intranet. Pursuant to the Board s oversight of the Company s operational risk management, the Board has designated authority and responsibility to its Audit Committee to regularly review our processes and procedures for managing cybersecurity risks and handling cybersecurity incidents. The Audit Committee receives quarterly updates from the CISO and others from the CISO s security team regarding our security programs, including a review of cybersecurity risks, threats, and vulnerabilities. Additionally, the Board of Directors receives an annual report on the cybersecurity threat landscape from at least one senior leader. Our Company, through the leadership of the CISO, utilizes a variety of security governance and operational processes to manage our secure use of technology, including, but not limited to, the management of risks from insiders, third-parties, security controls, vulnerabilities, threats, and incident response. We have adopted a comprehensive cybersecurity assessment framework, which is integrated into our security team s processes to ensure cybersecurity incidents are assessed and escalated in a timely manner, so that certain leaders within our organization further investigate, respond to, and remediate, the incident. Certain members of the Company s executive leadership team will also consider potentially applicable legal and regulatory obligations and take action to mitigate brand and reputational damage. In fiscal 2024, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents or provide assurances that we have not experienced an undetected cybersecurity incident. If a cybersecurity incident is determined to be material, in accordance with reporting requirements applicable to us, our comprehensive cybersecurity assessment framework outlines our controls and the procedures adopted to ensure timely compliance with our reporting obligations. 31

Company Information