Snowflake Inc. 10-K Cybersecurity GRC - 2024-03-26

Page last updated on April 11, 2024

Snowflake Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-26 16:16:31 EDT.

Filings

10-K filed on 2024-03-26

Snowflake Inc. filed an 10-K at 2024-03-26 16:16:31 EDT
Accession Number: 0001640147-24-000101

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have implemented and maintain a cybersecurity program designed to identify, assess, and manage material risks from cybersecurity threats to (i) our information systems and data, which include critical computer networks, third-party hosted services, communications systems, hardware and software, and (ii) critical data, including our intellectual property, confidential information that is proprietary, strategic or competitive in nature, and our customers data. Our cybersecurity program includes an information security policy, access management policies, an open-source policy, security incident response processes, and a supply chain policy, in addition to the secure design and vendor management programs described below. For a description of the risks from cybersecurity threats that may materially affect us, see the section titled Risk Factors included elsewhere in this Annual Report on Form 10-K. Our information systems generally fall into two categories: our platform and our corporate systems. Each category has dedicated teams and processes in place to address cybersecurity risk. Our product security team, which reports into our EVP, Engineering, works alongside our product and engineering teams to address how security is designed into our platform. Our corporate security team, which reports to our Chief Information Security Officer within our Chief Financial Officer s organization, is responsible for the secure design of our corporate systems. In addition, our Chief Information Security Officer manages a global security team that performs certain cybersecurity functions for both our platform and corporate systems, including certification management, incident response, threat detection, analytics, and offensive security (such as simulations and penetration tests). 46 Table of Contents We actively monitor our threat environment for cybersecurity threats using various methods, including automated detection tools, scans of the threat environment, investigations of potential threats we discover or that are reported to us, and reports and services that identify threats. We monitor our information systems for vulnerabilities using internal and third-party penetration testing, intelligence feeds, and vulnerability databases. We also have a bug bounty program. Our security teams work with management to prioritize our risk management processes and mitigate cybersecurity threats, including those that may materially impact our business. Our assessment and management of material risks from cybersecurity threats is a key risk area within our enterprise risk management program. Our Chief Information and Data Officer, Chief Information Security Officer, and EVP, Engineering are responsible for management of cybersecurity risk under our enterprise risk management program, and senior management and the audit committee of our board of directors receive reports on the key risks and the effectiveness of our management of such enterprise risks. In addition, key cybersecurity risks are assessed as part of our internal audit program. We have completed various security audits and certifications, including SOC 2 Type II, SOC 1 Type II, PCI-DSS, HITRUST, FedRAMP High, and ISO/IEC 27001. We also employ a shared responsibility model where our customers are responsible for using and configuring our platform in a manner that meets applicable cybersecurity standards. As part of this shared security model, customers have sole responsibility for creating and securing their access credentials for our platform. Each of our platform and corporate systems involves the use of third-party technology or service providers, or vendors, such as hosting platforms, open-source software, and application providers. We also use vendors to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats to our platform and corporate systems, including consulting firms, external legal counsel, incident response vendors, penetration test providers, auditors, monitoring technology, and cybersecurity data providers. We have a vendor management program under which our corporate security, product security, and legal teams evaluate cybersecurity risks presented by our use of vendors. Depending on the nature of the technology or services provided, the sensitivity of the information systems and data at issue, and the identity of the vendor, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks. For higher-risk vendors, this process includes a vendor security questionnaire, an evaluation of the vendor s security program and security documentation, and the imposition of contractual obligations related to cybersecurity on the vendor. All vendors are required to undergo this review, which is in addition to the applicable security reviews conducted by our product security and corporate security teams described above. Governance Our board of directors has a cybersecurity committee of the board to assist it in fulfilling its oversight responsibility with respect to the management of cybersecurity risks related to our products and services as well as our information technology and network systems. The responsibilities of the cybersecurity committee include overseeing our implementation and maintenance of cybersecurity measures, data governance, and compliance with applicable information security laws. The cybersecurity committee receives reports from management concerning our significant cybersecurity threats and risk and the processes we have implemented to address them and has access to various reports, summaries or presentations related to cybersecurity threats, risk, and mitigation. In addition, our audit committee has oversight responsibility over our internal financial controls and our enterprise risk management program, including disclosure controls related to cybersecurity. Finally, management periodically provides cybersecurity briefings to the entire board of directors. The members of management who are primarily responsible for assessing and managing our material risks from cybersecurity threats are Brad Jones, our Chief Information Security Officer, and Grzegorz Czajkowski, our EVP, Engineering & Support. Mr. Jones joined Snowflake in 2023 and previously served in various cybersecurity roles for over 12 years across multiple technology sectors, including manufacturing, software, and services. Mr. Jones reports to Sunny Bedi, who has served as our Chief Information and Data Officer since 2020 and, prior to joining us, served as VP of Corporate IT / Head of Global IT at NVIDIA, where his responsibilities included managing IT security. Mr. Czajkowski joined Snowflake as SVP, Engineering & Support in 2019 and, prior to joining us, served in various roles at Google, including as VP Engineering where he was responsible for a portfolio of Google Cloud data analytics and for internal services addressing data analytics needs of Google s businesses. Each of Messrs. Jones and Czajkowski is responsible for hiring appropriate personnel, integrating cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. 47 Table of Contents Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to management depending on the circumstances, including the individuals named above, who work with our incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our security incident response plan provides for reporting certain cybersecurity incidents to our board of directors.

Company Information