PROCORE TECHNOLOGIES, INC. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

PROCORE TECHNOLOGIES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:04:05 EST.

Filings

10-K filed on 2025-02-26

PROCORE TECHNOLOGIES, INC. filed a 10-K at 2025-02-26 16:04:05 EST
Accession Number: 0001628280-25-008121

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk management and strategy We maintain an information security program designed to identify, assess, and manage material risks arising from cybersecurity threats to our critical networks, third-party hosted services, communications systems, hardware, software, and data, including intellectual property and confidential, proprietary, or sensitive information, such as customer data. Our President, Product and Technology (“President of P&T”), Chief Data Officer (“CDO”), the senior-most employee responsible for cybersecurity management, and other members of our cybersecurity and audit teams, help identify, assess, and manage cybersecurity threats and risks that may affect our business and operations. To help us in assessing these threats, we use various methods, including, as applicable, using a combination of manual and automated tools, subscribing to threat reports and external intelligence feeds, conducting vulnerability assessments and penetration tests, collaborating with law enforcement, and operating a bug bounty program. Depending on the environment, systems, and data, we employ various technical, physical, and organizational measures designed to mitigate material cybersecurity risks, including an incident response plan, incident detection and response processes, a vulnerability management program, disaster recovery/business continuity plans, risk assessments, data encryption, network and access controls, a vendor risk management program, physical security, employee training, cybersecurity insurance, and dedicated cybersecurity staff. In maintaining these measures, we consider certain principles from recognized frameworks, such as those published by the Committee of Sponsoring Organizations of the Treadway Commission, the International Organization for Standardization, and other applicable industry standards. Our approach to addressing cybersecurity risk is cross-functional and is designed to preserve the confidentiality, integrity, and availability of data by identifying, preventing, and mitigating cybersecurity incidents. From time to time, we engage third-party service providers, including professional services firms, threat intelligence services, cybersecurity consultants, penetration testing firms, and forensic investigators, to assist with identifying, assessing, and managing cybersecurity risks. We also rely on data-hosting companies and other third parties for certain business operations. We mitigate the associated cybersecurity risks through a third-party risk management program, which may include vendor risk assessments, security questionnaires, reviews of vendor security programs, and contractual obligations for vendors to maintain specific security measures. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under the heading “Risk Factors” in Part I of this Annual Report on Form 10-K , including the risk factor titled “If our IT systems or data, or those of third parties with which we work, are or were compromised, we could experience adverse consequences resulting from such compromise, including, but not limited to, regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, reputational harm, loss of revenue or profits, loss of customers or sales, and other adverse consequences, any of which could materially adversely affect our business, financial condition, results of operations, and prospects.” Governance Our Board oversees our enterprise risk management program, including cybersecurity risk. The audit committee of our Board (the “Audit Committee”) is responsible for oversight of our cybersecurity risk management processes, and a cross-functional cybersecurity committee (the “Cybersecurity Committee”), which is comprised of members of our management team, reports to the Audit Committee. Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of our management team, including our President of P&T, CDO, and the senior-most employee responsible for cybersecurity management. Our President of P&T has over 25 years of experience in senior executive roles that involved ownership of, and accountability for, cybersecurity matters, including Chief Information Officer, Chief Technology Officer, and Senior Vice President / General Manager. Our CDO has over 15 years of experience in IT and previously served as the Chief Information and Digital Experience Officer for a home automation company. Prior to that, she held various leadership roles at a computer software company. Members of our management team, including our President of P&T, CDO, and the senior-most employee responsible for cybersecurity management, lead our cybersecurity assessment and management processes. Their responsibilities include hiring appropriate personnel, approving budgets, integrating cybersecurity considerations into our risk management strategy, overseeing security-related reports, communicating key priorities, and helping prepare for cybersecurity incidents. We conduct periodic training to keep personnel informed of cybersecurity threats and to communicate evolving information security policies, standards, processes, and practices. Our cybersecurity incident response and vulnerability management processes are designed to escalate significant cybersecurity incidents to members of management, including to our President of P&T, CDO, the senior-most employee responsible for cybersecurity management, and the Cybersecurity Committee. Our President of P&T, CDO, the senior-most employee responsible for cybersecurity management, and the Cybersecurity Committee work with our incident response team to mitigate and remediate potential issues. These processes include reporting significant cybersecurity threats, risks, and mitigation activities to the Audit Committee and/or the Cybersecurity Committee, as appropriate. The Audit Committee and the Cybersecurity Committee receive periodic reports, summaries, and presentations from management regarding our significant cybersecurity risks and threats, incidents, and response initiatives. Through our cybersecurity governance practices, we strive to achieve a strong cybersecurity posture and to refine our security measures to respond to emerging threats.

Company Information