VERISIGN INC/CA 10-K Cybersecurity GRC - 2026-02-05

Page last updated on February 5, 2026

VERISIGN INC/CA reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-05 16:41:16 EST.

Filings

10-K filed on 2026-02-05

VERISIGN INC/CA filed a 10-K at 2026-02-05 16:41:16 EST
Accession Number: 0001014473-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our cybersecurity program is designed and implemented to assess, identify, mitigate and manage risks from cybersecurity threats that may result in adverse effects on the integrity and availability of our production and information systems and support our track record of more than 28 years of 100% DNS uptime for . com and . net . Among other items, our cybersecurity program is comprised of policies, standards, plans and frameworks for information security, business resilience, insider threat mitigation, technology asset management, cyber risk management, incident response and procurement. Material risks from cybersecurity threats include, among other things, operational disruption, including failure to meet our service level agreements, loss or destruction of data, hardware or intellectual property, and cyber extortion through ransomware. While we have not identified any material cybersecurity incidents, we continuously manage cyber-attacks, including from sophisticated nation-state actors. In addition, AI continues to enhance the capabilities of threat actors. The management of cybersecurity risks, which involves significant and sustained resource commitments and management attention, is also integrated into the Company's enterprise risk management ("ERM") program through formal processes that help identify and elevate the most serious risks, including those pertaining to cybersecurity, for management at the enterprise level and oversight at the Board level. For more information on the Company's cybersecurity risks and their possible impact on our business strategy, results of operations, or financial condition see "Risk Factors - Cybersecurity and Technology Risk Factors" in Part I, Item 1A of this Form 10-K". Our cybersecurity program leverages the NIST Cybersecurity Framework to help protect the Company's operations, information, production systems and networks from threats through cybersecurity practices, programs and tools that establish defenses in depth. The cybersecurity program includes, among other items, vulnerability and patch management, segmentation, identity and access management, application of zero-trust principles, automated ingestion of multi-source threat intelligence, end point and network detection/response, application security, secure configurations for operating systems and databases, continuous security monitoring and 24/7 security operations, augmented by a third party managed detection and response provider. The program has dedicated business resilience, insider threat and governance, risk and compliance ("GRC") functions that report to our Chief Information Security Officer ("CISO"). Incident management is governed by our Incident Response Plan that assigns incident command and control parameters and escalation protocols to management and the Board of Directors. Our incident response plan includes procedures for immediate escalation of cybersecurity events to our Legal department to ensure timely evaluation of disclosure obligations. Our cybersecurity program also focuses on risks from the use of third-party services. Our GRC team assesses the cybersecurity practices of current and prospective service providers for compliance with our requirements, and our procurement functions seek terms and conditions, including by example, audit rights and vulnerability or breach disclosure obligations, to enhance our defenses against supply chain risks. Our cybersecurity program incorporates several control and best practice regimes, including for example, the Center for Internet Security ("CIS") controls tailored for our specific environment. We conduct regular internal and external assessments, audits, and tabletop exercises to assess security vulnerabilities, control compliance and incident preparedness. These assessments and exercises include breach attack simulation tools, red team exercises simulating insider and external attacks, threat and vulnerability assessments, ransomware, application, and secure image testing, crisis management exercises, including incident response and escalation procedures, and internal audit reviews. Management and the Board's Cybersecurity Committee reviews the results of these exercises, audits and assessments. We also actively engage with third parties, such as key vendors, auditors, consultants, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our cybersecurity program. We monitor emerging data protection laws and cybersecurity and privacy regulatory requirements and implement changes to our standards and processes for continued compliance. Our cybersecurity program also includes employee and contractor training, which primarily consists of monthly educational videos, annual trainings and certifications, and phishing exercises. Cybersecurity Governance Our cybersecurity strategy and program are led by our Executive Vice President of Technology and Chief Security Officer ("CSO") , who reports to the CEO. Our CSO has over 30 years of experience in technology and cybersecurity leadership positions and has authored several security-related books and numerous patents, IP standards, and security research publications. He has served in various capacities on various technology working groups and standards setting organizations 20 including the Internet Architecture Board and the Internet Engineering Task Force . Our CSO manages a converged security, engineering and operations organization that helps to ensure that cyber and other security priorities are comprehensively considered throughout the Company. Our CISO, Chief Information Officer ("CIO"), Chief Technology Officer ("CTO") and the head of architecture, engineering, operations, and corporate security functions report to our CSO. These and other experienced employees lead the teams responsible for implementing various parts of our cybersecurity program. In addition, a management-level Safety and Security Council ("Council") chaired by our CEO and comprised of our CSO, CFO, General Counsel, and other senior officers, provides cross-functional coordination for the management of the Company's security functions. The Council receives information, typically monthly, on the status of the cybersecurity program, initiatives, incidents, cybersecurity risks, assessments, and threats, among other items. The Chair of the Board's Cybersecurity Committee is the Board's liaison to the Council and attends the regular meetings of the Council. Our Board has delegated primary oversight of the Company's cybersecurity risks and our cybersecurity program to the Cybersecurity Committee . The Audit Committee also reviews material cybersecurity risks as part of the Company's ERM program. The Cybersecurity Committee reviews our incident response plan, including escalation protocols, business continuity program plans, program budgets and resources, and our cybersecurity insurance program. It also reviews and discusses the activities of the Council at each of its regularly scheduled meetings. The Cybersecurity Committee operates pursuant to a written charter and calendar, each of which are reviewed on an annual basis. The Cybersecurity Committee and the full Board receive quarterly status reports on the cybersecurity program from the CSO, addressing progress and updates on multiple cybersecurity functions and initiatives including, for example, compliance, assessments, security operations and incident response, business resilience, DDoS attacks, data privacy, technology and asset management, controls, and vulnerability management. In addition, the Cybersecurity Committee conducts oversight on behalf of the Board of our use of AI and AI risks, including as it pertains to cybersecurity and data governance. At the management level, the Company's use of AI, including in the cybersecurity area, is managed pursuant to a corporate AI policy by a cross-functional AI Steering Committee comprised of senior Verisign technology, cybersecurity and legal resources.

Company Information