Dynatrace, Inc. 10-K Cybersecurity GRC - 2025-05-22

Page last updated on May 26, 2025

Dynatrace, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-22 16:09:10 EDT.

Filings

10-K filed on 2025-05-22

Dynatrace, Inc. filed a 10-K at 2025-05-22 16:09:10 EDT
Accession Number: 0001773383-25-000065

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We have dedicated substantial resources to prevent and manage cybersecurity risk. We have administrative, technical, and physical security measures in place, as well as policies and procedures to require third parties to whom we transfer data to implement and maintain appropriate security measures. We proactively employ multiple methods at different layers of our systems which are designed to defend against intrusions and attacks and protect our data. We also consider the threats and challenges that we and other companies face as cybersecurity attacks grow in frequency and complexity. We have in the past been, and may in the future be, the target and victim of cybersecurity attacks. In general, security incidents have increased in sophistication and have become more prevalent across industries and may occur on our systems, or on the systems of third parties we use to host our solutions or SaaS solutions that we use in the operation of our business, or on those third party hosting platforms on which our customers’ host their systems. Although we have taken significant measures to detect, effectively remediate, and prevent phishing and other attacks and security threats, we cannot be certain that our efforts will be effective to prevent and remediate all attacks and security threats. To date, we do not believe we have experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. See the “Risk Factors” section of this Annual Report for more information on material cybersecurity risks that we face. Risk Management and Strategy Cybersecurity risk management is integrated within our enterprise risk management (“ERM”) program, which identifies, prioritizes as to likelihood and magnitude, and continuously monitors the various short-term and long-term risks that Dynatrace faces and how they are being addressed . In developing our cybersecurity risk management program, we are informed by industry benchmarks and standards, including the cybersecurity framework created by the National Institute of Standards and Technology (“NIST”). We also have various security-related certifications and authorizations, including ISO 27001, SOC 2 Type II, FedRAMP and StateRAMP. We have an Information Security Office that is responsible for preventing, assessing, detecting, mitigating, and remediating cybersecurity risks. The Information Security Office, which is led by our Chief Information Security Officer (“CISO”), works cross-functionally with different business and corporate functions, as all Dynatrace employees are considered critical to our company’s security. Our Information Security Office also partners with external organizations to maintain and enhance our cybersecurity systems and processes. Our Board of Directors and two of its committees are also involved in the oversight of our cybersecurity risk management. We discuss our CISO and the Board in more detail in the “Governance” section below. Risk assessment and management - Our corporate and product security professionals assist in managing cybersecurity systems and in preventing, detecting, assessing, and resolving cybersecurity incidents. We build cybersecurity principles into our product development and system design, we have internal and external penetration testers who test our product platform and corporate systems, and we have a bug bounty program that can incentivize external security researchers who help us identify and fix bugs and vulnerabilities before they are exploited. Our internal audit team and our company’s independent auditors periodically assess the effectiveness of certain of our cybersecurity-related controls. From time to time, we also engage external consultants and advisors to perform independent security testing and assessments and to assist with aspects of our cybersecurity program. We also utilize automated technology that alerts our security team of unusual activity in our corporate systems, product platform, and public-facing systems as well as automated security vulnerability scanning for our code base. As part of our processes, we require applicable internal approvals for changes to security-critical aspects of our product platform and services. Third-party risk management - We assess the cyber risk of potential third-party service vendors, partners, and other service providers. We evaluate third parties before onboarding and periodically afterwards or if we detect a significant change in their cyber risk rating. We also perform security assessments on third-party code libraries before internal use. We categorize third parties in tiers based on the services that they provide to our company, the information and data that they have access to, and our overall assessment of the significance and risk of their operations to Dynatrace. We focus more detailed reviews and more frequent assessments on third parties that are in our highest tier. Incident response planning - We have an incident response plan that sets forth a structured process and approach for how we assess, respond to, recover from, and remediate cybersecurity incidents. Under the plan, our CISO, the Information Security Office, and any incident response team that may be formed, work with our legal team, our privacy office, and any other applicable internal teams and external resources to address and communicate about incidents to key stakeholders, including the Board and its Cybersecurity Committee. As part of our incident response processes, we maintain disaster recovery plans and we prepare for any required external disclosures or reporting related to cybersecurity incidents. We review and test our incident response plan from time to time through tabletop exercises and other scenario planning to enhance management and Board preparedness in the event of a potential cybersecurity incident and to identify areas of continuous improvement. We believe that our planning and related processes, reviews, and testing help minimize the potential impacts to our company from cybersecurity incidents and help us recover from them as quickly as possible. Training and education - We require employees and contractors to complete data protection and security awareness training in connection with onboarding and annually thereafter. These trainings cover a wide range of topics, including, but not limited to, ransomware, impersonation attacks, data handling and privacy, fraud, phishing, and identity theft. We conduct phishing simulation tests during the year to educate, train, and assess our employees’ ability to identify malicious emails and employees who do not follow our protocol are provided with additional follow-up training. From time to time, we also require supplemental training depending on an individual’s role or job responsibilities. Our CISO also periodically presents on cybersecurity matters at company-wide meetings and with individual business and corporate functions. Governance Board oversight - Our Board of Directors, as a whole and through its committees, has responsibility for the oversight of our risk management. The Board is responsible to satisfy itself that the risk management processes designed and implemented by management are adequate and functioning as designed. The Board has a standalone Cybersecurity Committee that is responsible for managing oversight of our cybersecurity-related investments, programs, plans, controls, and policies. The Cybersecurity Committee also provides feedback on cybersecurity-related matters, including, but not limited to, strategies, objectives, capabilities, initiatives, and policies. The Cybersecurity Committee meets during the year with the CISO and other members of our executive leadership team. In between meetings, the CISO periodically provides the Cybersecurity Committee with a written report on cybersecurity matters. The Board’s Audit Committee oversees our ERM program, which includes cybersecurity risk management as a focus area. The full Board also receives periodic reports from management on the ERM program. The Chairs of the Cybersecurity Committee and the Audit Committee periodically update the full Board on specific committee-level topics and discussions. This enables the Board and its committees to coordinate the risk oversight role, particularly with respect to risk interrelationships. From time to time, the CISO and other members of our executive leadership team discuss cybersecurity-related matters with the full Board at its scheduled meetings. Outside of scheduled meetings, management also periodically notifies or updates the Cybersecurity Committee or the Board, as appropriate, regarding certain types of cybersecurity incidents and matters. Management’s role - Management is responsible for assessing and managing our material cybersecurity risks, practices and policies on a day-to-day basis. Our CISO , who reports to the Chief Financial Officer, leads the Information Security Office and our cybersecurity program. Our CISO has worked in information technology and cybersecurity roles for more than three decades and has led our program since 2018. As part of his role, our CISO is responsible for communicating and coordinating cybersecurity-related matters with the Board and the Cybersecurity Committee (as discussed above) and our executive leadership team. For example, our CISO collaborates with the Chief Technology Officer and the Chief Legal Officer on cybersecurity measures throughout the organization and the CISO works with the Chief Product Officer in connection with the introduction or updating of security features for the Dynatrace platform and our services. The Information Security Office is comprised of professionals who collectively have significant experience in a wide range of cybersecurity matters, including threat assessment and detection, incident response and secure software development, and risk management. The Information Security Office works with Dynatrace’s other business and corporate functions and keeps the CISO informed and updated regarding key cybersecurity-related matters in accordance with our internal reporting processes.

Company Information