Atlassian Corp 10-K Cybersecurity GRC - 2025-08-15

Page last updated on August 18, 2025

Atlassian Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-08-15 16:06:23 EDT.

Filings

10-K filed on 2025-08-15

Atlassian Corp filed a 10-K at 2025-08-15 16:06:23 EDT
Accession Number: 0001650372-25-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan. We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) and Secure Software Development Framework (“SSDF”). This does not imply that we meet any particular technical standards, specifications, or requirements; we use NIST CSF and SSDF as guides to help us identify, assess, and manage risks from cybersecurity threats relevant to our business. Cybersecurity risks are incorporated into our overall enterprise risk management program. Our Chief Trust Officer (“CTrO”) reports to our Chief Technology Officer and oversees our trust and overarching security strategy. 44 Our Chief Information Security Officer (“CISO”) reports to our CTrO and oversees the technical identification, assessment and management of cybersecurity risks relevant to our business. Our cybersecurity risk management program includes, among other elements: - Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment. - A Security team, principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents. - The use of external service providers, where appropriate, to assess, test, respond to or otherwise assist with aspects of our security controls, as well as maturity assessments of our cybersecurity program. - Implementation of new hire and annual data privacy and cybersecurity training of all employees, including senior management; annual role-based training for employees in specific incident response roles, as well as for employees with specific access to systems, devices, or locations, and targeted cybersecurity incident simulation training held on a recurring basis. - Incident response playbooks and standard operating procedures outlining procedures for detecting, responding to, and mitigating cybersecurity incidents. Depending on the nature and severity of an incident, responses may involve escalating notification to our Chief Executive Officer and our board of directors. - Post-incident reviews are conducted for major incidents, and to determine steps that may be taken to mitigate identified risks and reduce the likelihood of reoccurrence. - Internal policies designed to protect our systems and operations, including (1) a data classification and labelling standard to evaluate the confidentiality level of internal information, (2) a cloud continuity policy to address experience disruption for cloud customers, and (3) a business resilience policy to provide a framework for operations during and after disruption events. - A third-party risk management process for service providers, suppliers, and vendors. Such service providers are subject to risk tiering, security risk assessments, and recurring reviews, as applicable. When third-party provider incidents occur, we assess their materiality to our operations and investigate accordingly. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, whether individually or in the aggregate, have materially affected or are reasonably likely to materially affect us , our business, and our results of operations in Part I, Item 1A in this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. Cybersecurity Governance Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to its audit committee (the “Audit Committee”) oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program, and it reports to the full board of directors regarding its activities, including those related to cybersecurity. Our CTrO and CISO provide updates on significant risks to the Audit Committee quarterly and also provide updates to the full board of directors at least biannually. Outside of regular meetings, depending on the nature and severity of an incident, our CTrO and CISO will also inform the Audit Committee, Chief Executive Officer, and the rest of the board of directors of significant cybersecurity incidents. Our CTrO leads our Trust and Security organization, focusing on maintaining customer trust and overseeing the overall security posture of the company. The CTrO’s role involves managing cybersecurity risks and reviewing whether the company’s security practices align with customer expectations and industry standards. Our CISO leads our Security organization and is responsible for all security-related activities and controls at Atlassian. This includes defining the security strategy, developing, and enforcing security standards, and managing security technologies. The CISO also oversees security operations, incident response, and reviews compliance with legal and regulatory requirements. Our CTrO has served in his role since October 2023 and has extensive experience in the cybersecurity space, including previously serving as Chief Trust Officer of a large publicly-traded enterprise software company. Our CISO has served in his role since December 2024 and also has extensive experience in cybersecurity, including serving as Chief Information Security Officer of a large publicly-traded enterprise software company. Our CTrO and CISO oversee our efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal personnel, threat intelligence, and 45 other information obtained from governmental, public, or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment. Within the Trust and Security organizations, we implement a structured approach to proactively manage cybersecurity risks. Our Security Governance, Risk and Compliance team monitors, assesses, and coordinates proactive identification and remediation efforts for cybersecurity risks impacting Atlassian. This team partners cross-functionally with others in the Security organization and individuals from our legal, internal audit, engineering, and product development teams. Our Security team includes individuals with experience across a broad range of cybersecurity areas, including, but not limited to: product security; cloud security; infrastructure security; security monitoring and incident response; identity and access management; vulnerability management; and governance, risk, and compliance.

Company Information