Freshworks Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Freshworks Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:09:23 EST.

Filings

10-K filed on 2026-02-26

Freshworks Inc. filed a 10-K at 2026-02-26 16:09:23 EST
Accession Number: 0001544522-26-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have implemented and maintain various information security processes, including a formal cybersecurity risk-management framework, designed to identify, assess, and manage material risks to our information systems and data, including our networks (on-premises and cloud), communications systems, hardware, software, third-party hosted services, confidential and proprietary data (including customer, employee, and strategic business information), and intellectual property. The Chief Information Security Officer (CISO) , in collaboration with our information security team, broader IT organization, product and engineering functions, and external advisors, leads our cybersecurity program. This program utilizes various methods, including both automated and manual controls, threat-feed monitoring, internal audits, access-control assessments, vulnerability scanning, penetration testing, open-source software analysis, and a bug bounty program. Our Chief Information Security Officer (CISO) leads a global cybersecurity program that is embedded across engineering, product, IT, legal, and compliance functions. The program is risk-based and references recognized industry frameworks and regulatory requirements. We employ a layered defense strategy that includes automated and manual controls, continuous threat intelligence monitoring, secure software development practices, cloud security governance, independent assessments, vulnerability management, penetration testing, third-party risk management, and a coordinated vulnerability disclosure and bug bounty program. Cybersecurity risks are regularly assessed, prioritized, and reported to executive leadership and the Board, with defined incident response, escalation, and resilience procedures in place to address evolving threats. Depending on the environment, we implement and maintain various technical, physical, and organizational safeguards-such as 24/7 security operations center (SOC) monitoring, formal incident-response plans, secure software-development practices (including static and dynamic code scanning and third-party component analysis ), identity and access management, encryption of data at rest and in transit, continuous cloud-security-posture monitoring through a Cloud-Native Application Protection Platform (CNAPP) that is designed to provide visibility across our multi-cloud environment, third-party risk-management processes , phishing testing and training, employee awareness programs, and cybersecurity insurance. As we deploy and embed artificial intelligence (AI) and machine learning technologies into our platform, operations, and customer-facing solutions, we have established an AI security governance program designed to manage emerging risks associated with AI adoption, including risks related to cybersecurity. This includes a cross-functional AI Advisory Board comprised of representatives from cybersecurity, IT, product engineering, legal/privacy, data science, and business operations; training and awareness for employees and contractors on AI-specific security topics such as safe use of generative AI and monitoring of AI-enabled threats; and vendor and third-party AI component risk-management, which applies contractual and technical controls-such as model provenance review and ongoing monitoring of AI supplier performance. Our cyber-risk management processes are integrated into our business strategy, and capital allocation decisions. The CISO reports to senior management and the Audit Committee of our Board of Directors on our risk posture, threat landscape, and certain material cybersecurity issues that may arise. Vendors that provide critical services are subject to our vendor risk management program, which includes risk evaluation and contractual security obligations. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see Part I, Item 1A. "Risk Factors," including: "If our information technology, systems, or those of third parties with whom we work, or our data, are or were to be compromised, we could experience adverse consequences resulting from such compromise, including, but not limited to, regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, reputational harm, loss of revenue or profits, and other adverse consequences." Governance Our Board of Directors oversees cybersecurity risk as part of its risk-management responsibilities. The Audit Committee is responsible for monitoring our cybersecurity risk management processes, including oversight and mitigation of risks associated with cybersecurity threats. The CISO leads our cybersecurity program and works cross-functionally across IT, product and engineering, human resources, finance, and legal/compliance, to align cybersecurity risk with business objectives. The CISO is responsible for staffing, budgeting, process approval, reviewing key metrics, and responding to and escalating cybersecurity incidents. Our CISO has over 20 years of experience in cybersecurity and information technology leadership, including senior roles in public and cloud-based software companies. The CISO holds CISSP, CISM, CISA, and multiple GIAC certifications. Our incident-response process is designed to escalate certain cybersecurity events to the CISO, Chief Financial Officer (CFO), and Chief Legal Officer (CLO), as appropriate, with the aim of timely disclosure to the Audit Committee and Board. The Audit Committee receives quarterly updates from the CISO on significant threats, risk posture, and mitigation activities; the full Board receives an annual briefing on cybersecurity risk. We maintain controls and procedures designed to ensure that material cybersecurity information is communicated promptly to senior management and the Board, enabling them to exercise oversight and disclosure.

Company Information