COMMVAULT SYSTEMS INC 10-K Cybersecurity GRC - 2025-05-05

Page last updated on May 5, 2025

COMMVAULT SYSTEMS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-05 15:47:30 EDT.

Filings

10-K filed on 2025-05-05

COMMVAULT SYSTEMS INC filed a 10-K at 2025-05-05 15:47:30 EDT
Accession Number: 0001169561-25-000034

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Commvault has established a cybersecurity program for the benefit of the company, our customers, partners and stakeholders. The cybersecurity program includes policies, processes and practices that are designed to assess, identify and manage material risks from cybersecurity threats and is integrated into our enterprise risk management program. Led by the Chief Security Officer (“CSO”), Commvault’s cybersecurity program leverages the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, with the primary objective of securing systems and data from cyber threats. We partner with industry-leading cybersecurity experts for continuous monitoring, alerting, mitigation and responsiveness related to our cybersecurity program. We adopt industry best practices and security technologies and have established a Security Incident Response Plan (“SIRP”) which outlines our processes for incident preparation, detection, analysis, containment, eradication, and post-incident analysis. In addition to the SIRP, we maintain a Crisis Management Plan to organize roles and responsibilities in the event of a crisis, a Disaster Recovery Plan to provide guidance in the recovery of systems following an outage, and a Business Continuity Plan to identify alternative means of conducting business in the event of business disruption. We partner with third party service providers to enhance our monitoring and response capabilities, facilitate readiness activities including tabletop exercises, and perform various methods of cybersecurity penetration testing. All employees are required to undergo annual security awareness training on current and potential cybersecurity threats and report suspicious activity. We also assess third-party service provider cybersecurity controls and include security and privacy terms in contracts as appropriate. Commvault maintains a variety of third-party certifications and undergoes annual assessments for SOC 2 Type 2, ISO 27001, HIPAA, CJIS, and PCI DSS. In support of these certifications and assessments, our products also undergo security testing. Annually, internal auditors complete a risk assessment of specific business operations, such as privacy and sanctions compliance and travel and expense policy compliance, identify areas of heightened risk, and conduct dedicated audit engagements. The findings, observations, and recommendations from these engagements are shared with Management, including the CEO, CFO, Chief Trust Officer, CSO, Chief Information Officer (“CIO”), and Senior Vice President of Engineering and the Audit Committee, as appropriate. Given the increasingly complex and sophisticated cyber threat landscape, we try to be vigilant to predict and prevent attacks. Commvault has prioritized cyber resilience measures and leverages governance processes and procedures to mitigate potential business impacts if and when an adverse event occurs. To date, Commvault is not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Commvault, including its business strategy, results of operations or financial condition. Although no material impacts have been recorded to date, IT system failures, network disruptions, cybersecurity incidents, and data breaches could adversely impact our business, internal controls, results of operations, and financial condition. For example, in February and April 2025, Microsoft notified the Company about unauthorized activity within our Azure environment by a suspected nation-state threat actor. As part of the ongoing investigation regarding this activity, the Company immediately activated its incident response plan, issued security advisories, and implemented several advanced security measures, including enhanced rotation of credentials and strengthened security monitoring, among other proactive measures. For additional description of cybersecurity risks and potential related impacts on Commvault, refer to the risk factor captioned “Risks Related to Technology and Security - We may be subject to IT system failures, network disruptions, cybersecurity incidents and breaches in data security” in Part 1, Item 1A. “Risk Factors.” Governance Commvault’s Board of Directors (the “Board”) provides oversight of Commvault’s enterprise risk management strategy, which includes risks from cybersecurity threats. The Audit Committee of the Board receives quarterly briefings on the cybersecurity program from the CSO and briefings on the Enterprise Risk Management Committee (“ERMC”) from the Chief Trust Officer. The Board is kept apprised of cybersecurity updates through quarterly reporting from the Audit Committee Chair and annual, or as needed, reporting directly to the Board from the CSO. Commvault’s Management, including the CEO, CFO, Chief Trust Officer, CSO, CIO, and Senior Vice President of Engineering , is responsible for our cybersecurity risk management strategy, operational decision- 26 making, and incident preparedness and response. The current CSO holds a Bachelor of Science and Master of Business Administration from the University of Maryland, industry certifications such as CISSP, PMP, CIPP/E, CIPP/US and CISA, is affiliated with various industry working groups focused on threat intelligence and privacy, and has over twenty years of experience in cybersecurity leading technical, operational, and strategic programs to protect critical data and infrastructure. Management ensures cybersecurity risks are communicated through the establishment of the ERMC and regular, or as needed, reporting to the Audit Committee and the Board. The ERMC is responsible for the implementation, maintenance, and execution of our enterprise risk management program. The ERMC meets quarterly, or as needed, to assess, consider, and manage material risks, including cybersecurity threats across the business. An Executive Security Council is responsible for the significant operational decisions in the event of an active cybersecurity incident. The Executive Security Council meets monthly, or as needed, with the Audit Committee Chair as an optional attendee, to provide counsel and foster productive communication between Management and the Board.

Company Information