TWILIO INC 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

TWILIO INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:16:55 EST.

Filings

10-K filed on 2026-02-24

TWILIO INC filed a 10-K at 2026-02-24 16:16:55 EST
Accession Number: 0001447669-26-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our board of directors is actively involved in oversight of cybersecurity, recognizing the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. Risk Management and Strategy We have policies, standards, processes and practices for assessing, identifying, and managing risk from cybersecurity threats that are integrated into our risk management systems and processes . Utilizing a cross-functional approach, we focus on preserving the confidentiality, integrity, and availability of our information systems by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. As part of this approach, we have implemented controls and procedures that provide for the prompt escalation of certain cybersecurity incidents to enable timely decisions by management regarding the public disclosure and reporting of such incidents. Our cybersecurity program is focused on the following key areas: - Governance. As discussed in more detail under the heading "Governance" below, our board of directors oversees cybersecurity risk through regular interactions with our Chief Information Security Officer ("CISO") and other members of management. In addition, our board of directors, supported by our audit committee, oversees the risk management systems and processes into which cybersecurity risk is integrated. - Risk Assessment. We conduct security assessments both internally and with the assistance of third parties to identify cybersecurity threats periodically and to identify any potentially material changes in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These security assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential impact of such risks, and the sufficiency and effectiveness of existing policies, procedures, systems, and controls to manage such risks. Risk themes identified during our risk assessments guide annual cybersecurity planning activities and investments to improve security coverage, technology capabilities and processes. - Technical Safeguards. We deploy, maintain, and regularly monitor the effectiveness of technical safeguards that are designed to protect our information systems from cybersecurity threats. We align our security program to recognized frameworks and industry standards. We make investments in core security capabilities, including awareness and training, identity and access, incident response, product security, cloud security, enterprise security, and risk management, in order to enable us to better identify, protect, detect, respond to, and recover from evolving security threats. Our technical safeguards include firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through internal and external security assessments and cybersecurity threat intelligence. We regularly assess our safeguards through internal testing by our assurance teams. We also leverage external third-party testing (e.g., penetration testing, attack surface mapping, and security maturity assessments) and seek third-party certifications (e.g., SOC2, ISO, and PCI DSS). Following our risk assessments, we evaluate whether and/or how to re-design and/or enhance our safeguards to reasonably address any identified risks or gaps. - Incident Response and Recovery Planning. We have established comprehensive incident response and recovery plans that address the full lifecycle of our response to a cybersecurity incident. These plans are periodically tested and evaluated. - Third-Party Risk Management. We identify and oversee cybersecurity risks presented by third parties and our supply chain, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. As part of our risk-based approach, we perform due diligence on vendors, service providers and other third-party users of our systems at initial onboarding and periodically thereafter. We also require that third-party service providers have the ability to implement and maintain reasonable and appropriate security measures, consistent with applicable laws, in connection with their work with us, and to promptly report any actual or suspected breach of their security measures that may affect our company. - Security Awareness and Training. Our security awareness program requires that employees and certain contractors complete comprehensive security training upon joining the company and annually thereafter. The training covers critical security topics to ensure our workforce stays informed about top-of-mind security areas, such as phishing. The training helps ensure that our personnel have the knowledge and skills required to protect our digital assets and critical data. In addition, we conduct awareness campaigns on cybersecurity threats as a means to equip our personnel with effective tools to address such threats and to communicate our evolving information security policies, standards, processes and practices. We engage in the periodic assessment and testing of our cybersecurity policies, standards, processes and practices, including through audits, assessments, tabletop exercises, threat modeling, vulnerability testing, and other exercises focused on evaluating their effectiveness and informing adjustments as necessary. To assist with these exercises, we engage assessors, consultants, auditors, and other third parties, including for third-party testing and certifications (as described above under "Technical Safeguards"), information security maturity assessments, customer audits, and independent reviews of our information security control environment and operating effectiveness. To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our company, including our business strategy, results of operations, or financial condition. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, are reasonably likely to materially affect our company in the future, including our business strategy, results of operations, or financial condition, see Part I, Item 1A, "Risk Factors" in this Annual Report on Form 10-K. Governance Our board of directors, in coordination with our audit committee, oversees the management of cybersecurity risks, and is responsible for monitoring and assessing strategic risk exposure through our risk management processes. Our management team is responsible for the day-to-day management and mitigation of the material cybersecurity risks we face. This is carried out under the leadership of our CISO, and involves our Security Incident Response Team ("SIRT") and other core information security operational teams, in partnership with our engineering teams, as well as management committees, including our Cyber Incident Task Force ("CITF"). During 2025, our board of directors received quarterly updates directly from management on cybersecurity risks. Management's presentations on cybersecurity risks address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties, and risks relating to cybersecurity incidents. Our CISO is primarily responsible for the assessment and management of our material risks from cybersecurity threats, working collaboratively and cross-functionally to design and implement our cybersecurity policies and processes, including those described in "Risk Management and Strategy" above, and for responding to any cybersecurity incidents. Our SIRT is primarily responsible for detecting, mitigating and remediating cybersecurity threats and incidents. In addition, our CITF (which includes our CISO and our Chief Financial Officer ("CFO")) is primarily responsible for evaluating cybersecurity incidents, gathering and assessing facts relevant to applicable regulatory reporting and disclosure obligations, making recommendations to our Chief Executive Officer and CFO regarding such disclosure, and advising our board of directors and audit committee on the effectiveness of policies and procedures related to the disclosure of cybersecurity incidents. To facilitate our cybersecurity risk management program, multidisciplinary teams throughout our company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, our CISO, and the SIRT monitor the detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the CITF when appropriate. Our management team responsible for assessing and managing cybersecurity risks includes experienced professionals, with many years of relevant experience managing cybersecurity and other risks at the Company and at similar companies, and broad technological expertise. In particular, our CISO has over 20 years of experience managing cybersecurity risks in the technology industry, including serving as the acting chief security officer at a public company and holding other senior cybersecurity leadership and operational roles at other companies. Our CISO holds an undergraduate degree in computer engineering and graduate degrees in electrical engineering and business administration. If one of the roles described in this Item 1C is vacant, another senior member of the applicable functional team is selected to serve on our CITF or any other applicable committees or task forces on an interim basis, as needed.
Item 1C is vacant, another senior member of the applicable functional team is selected to serve on our CITF or any other applicable committees or task forces on an interim basis, as needed.

Company Information