Doximity, Inc. 10-K Cybersecurity GRC - 2024-05-23

Page last updated on July 16, 2024

Doximity, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-23 16:10:32 EDT.

Filings

10-K filed on 2024-05-23

Doximity, Inc. filed a 10-K at 2024-05-23 16:10:32 EDT
Accession Number: 0001516513-24-000035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing risks from cybersecurity threats. We have implemented a cybersecurity risk management program informed by and incorporating elements of recognized industry standards, such as the National Institute of Standards and Technology Cybersecurity Framework. This program, which is integrated into our overall enterprise risk management strategy, is designed to identify, assess, and mitigate critical risks from cybersecurity threats. Our cybersecurity risk management program is overseen by our Chief Technology Officer and is supported by a third-party information technology vendor who, as appropriate, helps to assess our cybersecurity program against industry standards. Our cybersecurity program includes safeguards such as firewalls, DDoS mitigation tools, data encryption technologies, and authentication controls such as multi-factor authentication. We monitor our cybersecurity posture through periodic risk assessments and external audits, which are reviewed primarily by our Chief Technology Officers and others as needed and incorporated into our overall enterprise cyber strategy and risk management program. Additionally, we have adopted an incident response plan which has been designed to identify and manage significant events that may impact our information technology infrastructure, including those arising from or related to cybersecurity threats. We have also implemented a process to assess and review the cybersecurity practices of certain third-party vendors and service providers, such as those that may have access to restricted systems and data, including through review of System and Organization Controls (SOC) reports prior to onboarding. As appropriate, we also include contractual requirements regarding cybersecurity practices in third-party contracts. We have a security awareness training program, required for all employees and contractors upon onboarding and on an annual basis thereafter, that is designed to raise awareness of cybersecurity threats across functions as well as to encourage consideration of cybersecurity risks across our Company. As part of this employee training program, we periodically conduct phishing simulations designed to raise employee awareness of such risks. To date, we have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, like other companies in our industry, we and our third-party vendors may, from time to time, experience threats and security incidents that could affect our information or systems. For more information, see “Risk Factors-Risks Related to Our Business-If our security measures are compromised now or in the future, or the security, confidentiality, integrity, or availability of our information technology, software, services, communications, or data is compromised, limited, or fails, this could have a material adverse effect on our business, financial condition, and results of operations.” Governance Related to Cybersecurity Risks Our Chief Technology Officer is responsible for the establishment and maintenance of our cybersecurity risk management processes, including the day-to-day oversight of the assessment and management of cybersecurity risks. Our Chief Technology Officer has over 15 years of experience in software development and security architecture. Our Chief Technology Officer provides reports to and meets periodically with our General Counsel to discuss and review our information security and cybersecurity risk management processes. Our Board of Directors has delegated oversight of the Company’s enterprise risk management processes, including those related to cybersecurity risks, to the audit committee of the Board of Directors (the “Audit Committee”). Our General Counsel, following consultation with our Chief Technology Officer, provides updates to the Audit Committee concerning our cybersecurity program at its regular meetings, and the General Counsel and Chief Technology Officer provide a deeper review of the cybersecurity program, including information concerning areas of potential critical risk, to the Audit Committee approximately annually. The chair of the Audit Committee provides an overview of these updates to the Board following these sessions. In addition, the management team would escalate awareness of any material incidents to the Audit Committee promptly, should such an event occur.

Company Information