Sprout Social, Inc. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

Sprout Social, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:01:24 EST.

Filings

10-K filed on 2026-02-27

Sprout Social, Inc. filed a 10-K at 2026-02-27 16:01:24 EST
Accession Number: 0001517375-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As a cloud service provider, Sprout Social believes keeping data secure is important and takes steps designed to do so. We implement and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical infrastructure, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and data related to our employees and customers ("Information Systems and Data"). Security Program Structure Sprout Social maintains an overarching security program comprising several teams including (1) Security Operations, (2) Information Technology, (3) Application Security, (4) Infrastructure Security, and (5) Governance, Risk, and Compliance. Together, these teams help identify, assess and manage the Company's cybersecurity threats and risks using various methods including, for example, internal and external audits, automated and manual tools, threat assessments for internal and external threats, software and services that identify cybersecurity threats, third party threat assessments, a vulnerability management policy and program, incident response exercises, and evaluating threats reported to us through an external bug bounty program. Our security program is designed to align with the ISO 27001:2022 (International Organization for Standardization) standard and ISO 27701:2019 (privacy extension), incorporates elements from the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and is regularly reviewed and audited by independent external third-party auditors. Technical and Organizational Measures As part of our security program, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example, a general information security policy, incident response plan and incident response policy, data classification, protection, retention, and destruction policy, server protection and logging standards, vulnerability management program, vendor selection and security standard, business continuity and disaster recovery plan, employee onboarding, offboarding, and access escalation policy, risk management and audit policy, regular penetration testing of our production networks and applications, maintaining industry recognized certifications, cybersecurity insurance, and dedicated cybersecurity staff. Enterprise Risk Integration Our assessment and management of material risks from cybersecurity threats are integrated into the Company's overall risk management processes. For example, cybersecurity risk is addressed as a component of the Company's enterprise risk management program and identified in the Company's risk register. The security team works with management to help identify, discuss, and prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. Third-Party Assessments and Support 64 We use third-party service providers to assist us from time to time in reviewing our policies, standards and procedures, identifying and assessing material risks from cybersecurity threats, and making recommendations to improve our security program, including, for example, professional services firms, external legal counsel, penetration testing firms, cybersecurity consultants, and cybersecurity software providers. We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, and other types of third-party service providers for critical business operations. Our vendor management process includes security assessments for vendors handling sensitive data, ongoing monitoring based on risk tier, and requirements that certain vendors maintain appropriate security certifications. We require information security-related contractual provisions in our vendor agreements. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the sections of our risk factors titled "Risks Related to the Use of Technology" and "Legal and Regulatory Risks." Governance Board Oversight Our Board of Directors is responsible for overseeing the Company's cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The Board receives updates on cybersecurity matters twice per year, during which management presents information regarding the Company's cybersecurity program, risk assessments, threat landscape developments, security control effectiveness, third-party assessments, and material security events or incidents. Management Responsibilities Our overarching security program, enterprise-wide cybersecurity strategy, risk management program, and related security policies, standards, and processes are managed by the Vice President of Information Technology, Security, and Compliance and the Chief Technology Officer. The Vice President of Information Technology, Security, and Compliance has over 15 years of experience leading information technology and security teams and holds a Certified Information Systems Security Professional (CISSP) certification. The Vice President of Information Technology, Security, and Compliance reports to the Chief Technology Officer. They are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company's business strategy, communicating key priorities to relevant personnel, approving budgets, preparing for cybersecurity incidents, approving cybersecurity policies, and reviewing internal and external security assessments and other security-related reports. They also report on our risk management program, overall security posture, progress on maturing the security program, and new or emerging risks to senior management and the Board of Directors. Incident Response and Escalation Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management based on predefined criteria, including, for example, to our Vice President of Information Technology, Security, and Compliance, General Counsel, and Chief Technology Officer. Senior managers work with the Company's incident response team to help the Company mitigate and remediate certain cybersecurity incidents of which they are notified. The Company's incident response plan includes reporting to the Board of Directors, regulators, and law enforcement for incidents meeting defined thresholds based on incident severity and potential impact. 65

Company Information