Braze, Inc. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

Braze, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 06:10:43 EDT.

Filings

10-K filed on 2024-04-01

Braze, Inc. filed an 10-K at 2024-04-01 06:10:43 EDT
Accession Number: 0001676238-24-000049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management is an integral part of our overall enterprise risk management program. We have an enterprise-wide cybersecurity program designed to protect against, detect, respond to and remediate cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools that are designed to prevent, identify, escalate, investigate and remediate identified cybersecurity threats and incidents, including threats and incidents associated with third-party service providers, in a timely manner. These tools include, among others, internal detection tools to support the identification, monitoring and reporting of threats, vulnerabilities and incidents, and a bug bounty program to allow security researchers to assist us in identifying vulnerabilities in our platform and products before they are exploited by malicious threat actors. We maintain a variety of incident response plans that are utilized when cybersecurity incidents are detected. We require employees with access to information systems, including specified corporate and engineering employees, to undertake data protection and cybersecurity training. Further, we use various processes to identify, monitor, assess and manage material risks from cybersecurity threats associated with the use of third-party service providers, including engaging in security reviews of third-party service providers who may have access to, or integrate with, our information systems however, we rely on these third parties to implement cybersecurity programs commensurate with their risk profile and our expectations, and we cannot ensure in all circumstances that their efforts will be successful. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely-adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program, including tabletop exercises, penetration and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. In addition to our bug bounty program, we also engage third parties to provide independent penetration testing, to support internal security audits and 45 Table of Contents to provide external security audits. We also regularly report on the results of our assessments and security testing to our audit committee. Our management is responsible for identifying, assessing, and managing cybersecurity risks on an ongoing basis by establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation and remediation measures, maintaining cybersecurity policies and procedures, and providing regular reports to our board of directors, including through the audit committee of our board directors. Our chief technology officer is responsible for our information security team which oversees and implements our cybersecurity program. Our chief technology officer has over a decade of industry experience, and is supported by a team of information security professionals who have relevant educational and industry experience, including holding similar positions at large technology companies. Our chief technology officer and information security team provide regular reports to senior management, other relevant teams and the audit committee of our board of directors on our cybersecurity program, material cybersecurity risks and mitigation strategies, and other cybersecurity developments. In addition to such regular reports, and as part of our incident response processes, our chief technology officer will provide updates on material cybersecurity threats and incidents to our audit committee and, as necessary, to the full board of directors, based on management s assessment of risk. Our board of directors has ultimate oversight responsibility for our strategic and business risk management and delegates cybersecurity risk management oversight to its audit committee. Our audit committee receives reports on, generally, a quarterly basis from our chief technology officer on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. Our audit committee is responsible for overseeing the adequacy and effectiveness of our privacy and information security policies and practices and the internal controls regarding privacy and information security. Our audit committee or chief technology officer, as appropriate, also reports material cybersecurity risks to our full board of directors. While unauthorized persons have attempted to access our information systems in the past, and will likely continue to do so in the future, we have not, to date, identified any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information on these risks, see Risk Factors If we or our third-party service providers experience a security breach or unauthorized parties otherwise obtain access to our customers data, our data or our platform, our solution may be perceived as not being secure, our reputation may be harmed, demand for our platform and products may be reduced and we may incur significant liabilities.

Company Information