NETSCOUT SYSTEMS INC 10-K Cybersecurity GRC - 2024-05-16

Page last updated on July 16, 2024

NETSCOUT SYSTEMS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-16 16:07:00 EDT.

Filings

10-K filed on 2024-05-16

NETSCOUT SYSTEMS INC filed a 10-K at 2024-05-16 16:07:00 EDT
Accession Number: 0001628280-24-023777

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy NetScout has implemented and maintains information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information, and the information of our customers and employees (“Information Systems and Data”). Our Cybersecurity Executive Council (“Council”), which is led by the Chief Information Officer (“CIO”) and includes our Chief Information Security Officer (“CISO”), Chief Operating Officer (“COO”), General Counsel (“GC”), Chief Compliance Officer (“CCO”), SVP of Research & Development, Senior Director of Engineering, and AVP of Engineering, oversees NetScout’s cybersecurity program, including strategy, threats, risks, and mitigations. The CISO and Senior Director of Engineering, with guidance from the Council, work to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and NetScout’s risk profile using various methods such as implementing manual and automated tools, subscribing to services that identify cybersecurity threats, analyzing reports of certain threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, conducting audits and threat assessments, conducting vulnerability assessments to identify vulnerabilities, and engaging in tabletop incident response exercises. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, among other things: an incident response plan, vulnerability management, systems monitoring, disaster recovery and business continuity plans; risk assessments; encryption of certain data; network security controls for certain systems; data segregation and access controls for certain systems; physical security measures; asset management; employee training; certain testing; and IT and software development lifecycle training. NetScout also employs certain proprietary detection tools, enabling enhanced visibility and warning systems in response to certain cybersecurity threats. We also use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including professional services firms, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers and certain testing firms. We use third-party service providers to perform a variety of other functions throughout our business, such as application providers, hosting companies, and supply chain resources (such as shipping). We have a vendor management program to manage cybersecurity risks associated with our use of these providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve risk assessments, data privacy and security questionnaires, assessments, and imposition of cybersecurity-related contractual obligations on the vendor. Our risk-based assessment and management of material risks from cybersecurity threats are integrated into NetScout’s overall risk management processes. Cybersecurity risks are addressed as a component of NetScout’s enterprise risk management program and our enterprise risk management processes include an Enterprise Risk Management Steering Committee (“Steering Committee”), led by the CCO and including members of management, that meets quarterly and considers ways to mitigate cybersecurity threats that are more likely to lead to a material impact to our business. The Steering Committee evaluates material risks from cybersecurity threats against our overall business objectives and provides a risk register report to the Audit Committee of the Board of Directors, which evaluates our overall enterprise risk. Governance Our Board of Directors addresses NetScout’s cybersecurity risk management as part of its oversight function. The Board of Directors’ Audit Committee is responsible for overseeing NetScout’s cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats. Our Council, in turn, oversees management’s cybersecurity efforts. Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of NetScout’s management, including our CISO, who reports to the CIO and has over 25 years of experience, the CCO, and the Senior Director of Engineering for security. 31 The CISO and Senior Director of Engineering are each responsible for helping to integrate cybersecurity risk considerations into NetScout’s overall risk management strategy and communicating key priorities to relevant personnel. The CISO and Senior Director of Engineering are also responsible for helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response policy and plan are designed to escalate certain cybersecurity incidents to a Security Incident Response Team (“SIRT”), comprised of the CIO, CISO, GC, CCO and Senior Director of Engineering. The SIRT works with NetScout’s incident response team to help NetScout mitigate and remediate cybersecurity incidents of which they are notified. In addition, NetScout’s incident response plan includes reporting to the CEO and Chair of the Audit Committee of the Board of Directors for certain cybersecurity incidents. NetScout’s Cybersecurity Disclosure Committee, which includes the SIRT and the CFO, assess the materiality of cybersecurity incidents for potential disclosure requirements according to an escalation process defined in NetScout’s Cybersecurity Protocol for Disclosure Controls and Procedures. The Board of Directors receives quarterly reports from the CISO and CIO concerning NetScout’s significant cybersecurity threats and risk and the processes NetScout has implemented to address them. The Board of Directors also receives various reports, summaries and presentations related to cybersecurity strategy, threats, risk and mitigation. To date, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. For a description of the risks from cybersecurity threats that may materially affect NetScout and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K.

Company Information