ORACLE CORP 10-K Cybersecurity GRC - 2024-06-20

Page last updated on July 16, 2024

ORACLE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-20 16:21:35 EDT.

Filings

10-K filed on 2024-06-20

ORACLE CORP filed a 10-K at 2024-06-20 16:21:35 EDT
Accession Number: 0000950170-24-075605

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyb ersecurity Our overall information security risk management approach is designed to enable us to assess, identify and manage major risk exposures, including from material risks from cybersecurity threats, in a timely manner. As part of our information security risk management program, we perform risk assessments in which we map and prioritize information security risks identified through the processes described below. These assessments inform our information security risk management strategies and oversight processes and we view cybersecurity risks as one of the key risk categories we face. We believe that Oracle is a target for computer hackers, cyber threats and other bad actors because our products and services store, retrieve, process and manage large amounts of data, including sensitive data. We and our vendors are regularly subject to attempts by third parties to identify and exploit product and service vulnerabilities, penetrate or bypass our security measures and gain unauthorized access to our or our customers’, partners’ and suppliers’ software, hardware and cloud offerings, networks and systems. During fiscal 2024, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, including our business strategy, results of operations or financial condition. However, if a cyberattack or other security incident results in unauthorized access to or modification or exfiltration of our customers’ or suppliers’ data, other external data, our own data or our IT systems, or if the services we provide to our customers are disrupted, or Index to Financial Statements if our products or services are reported to have (or are perceived as having) security vulnerabilities, we could incur significant expenses and suffer substantial damage to our brand and reputation. Refer to “Data Privacy, Cybersecurity and Intellectual Property Risks” in Risk Factors included in Item 1A within this Annual Report for additional discussion of the challenges we encounter with respect to cybersecurity risks. Our corporate security and information security programs are designed to help us prevent, prepare for, detect, respond to and recover from cybersecurity threats. We leverage industry standard security frameworks to evaluate our security controls. Relevant personnel collaborate with subject matter experts throughout the process to identify and assess material cybersecurity threats, evaluate their severity, and explore ways to mitigate a potential security incident. We continually conduct security and privacy reviews to pinpoint risks associated with our products, services and enterprise. We also employ various monitoring tools to track suspicious or anomalous activity across our networks, systems, and data, and we simulate cyber threats to proactively address vulnerabilities. Finally, we routinely train our employees on cybersecurity matters. This program includes processes for triaging, assessing the severity of, escalating, containing, investigating and remediating information security events, as well as meeting legal obligations and minimizing customer impact and brand and reputational damage. In addition, we maintain insurance to protect against potential losses arising from a cybersecurity incident. Periodic tabletop exercises are conducted to test and reinforce our incident response controls, with incident severity and priority assessed on an ongoing basis. We also conduct external and internal risk management audits to assess and report on our internal incident response preparedness and help identify areas for continued focus and improvement. We conduct periodic penetration testing to identify vulnerabilities in our products, services, and systems. We also undergo security-related industry certifications and attestations by external auditors, including System and Organization Controls (SOC) 1, SOC 2, International Organization for Standardization (ISO) 27001, 27017 and 27018, Cloud Security Alliance Security Trust Assurance and Risk (CSA STAR), Payment Card Industry Data Security Standard (PCI DSS) and other compliance frameworks. Additionally, our vendor risk management program identifies and mitigates risks associated with third-party service providers, including those within our supply chain and those with access to our customer or employee data or systems. We use the findings from these and other processes to review our information security practices, procedures and technologies. Cybersecurity is an important area of focus for our Board of Directors. Our information security risk management program is designed to allow our Board of Directors to establish a mutual understanding with management of the effectiveness of our information security risk management practices and capabilities, including the division of responsibilities for reviewing our information security risk exposure and risk tolerance, tracking emerging information risks and ensuring proper escalation of certain key risks for periodic review by the Board of Directors and its committees. As part of its broader risk oversight activities, the Board of Directors oversees risks from cybersecurity risks, both directly and through the Finance and Audit Committee (F&A Committee). As reflected in its charter, the F&A Committee assists the Board of Directors with the management and assessment of privacy and data security risk and is responsible for reviewing and discussing with management privacy and data security risk exposures, including, among other things, the potential impacts of those exposures on our business, financial results, operations and reputation. The F&A Committee also oversees our internal controls over financial reporting, including with respect to financial reporting-related information systems. As an element of its information security risk management oversight activities, the F&A Committee reviews the results of our incident response control tests, external and internal audits and penetration testing and oversees our vendor risk management program. The F&A Committee also receives quarterly updates regarding cybersecurity matters from senior management, including Mr. Screven, our Executive Vice President and Chief Corporate Architect (Chief Corporate Architect). In turn, the F&A Committee reports to the full Board of Directors on a quarterly basis regarding the F&A Committee’s cybersecurity risk oversight activities. We also have Board members with expansive knowledge and expertise in the area of cybersecurity. In addition to these regularly scheduled updates, our Chief Corporate Architect, Chief Privacy Officer and Head of Global Information Security may also report to the F&A Committee on how certain information security risks are being managed and progress towards agreed mitigation goals, as well as any potential material risks from cybersecurity threats that have been detected by the information security team. Index to Financial Statements Our Chief Corporate Architect is responsible for day-to-day identification, assessment and management of the information security risks we face. Our Chief Corporate Architect studied computer science at Carnegie Mellon University and has been with Oracle since 1986 in a number of positions. In his current role as Chief Corporate Architect, he drives technology and architecture decisions across all Oracle products and leads companywide strategic initiatives, including with respect to industry standards and security, to ensure that product development is consistent with Oracle’s overall long-term strategy. Our Chief Corporate Architect is supported by team members who have relevant educational and industry experience. These team members provide regular reports to the Chief Corporate Architect and work closely with our Chief Privacy Officer and include personnel dedicated to information security, product security, and physical security. Informed by the processes and practices discussed under “Risk Management and Strategy” above, team members escalate cybersecurity threats and incidents to the Chief Corporate Architect, who assesses the severity of such threats and incidents for inclusion in quarterly update to the F&A Committee where appropriate. In addition to the ordinary-course Board of Directors and F&A Committee reporting and oversight described above, we also maintain disclosure controls and procedures designed for prompt reporting to the Board of Directors and timely public disclosure, as appropriate, of material events covered by our risk management framework, including cybersecurity risks.

Company Information