Dynatrace, Inc. 10-K Cybersecurity GRC - 2024-05-23

Page last updated on July 16, 2024

Dynatrace, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-23 16:07:54 EDT.

Filings

10-K filed on 2024-05-23

Dynatrace, Inc. filed a 10-K at 2024-05-23 16:07:54 EDT
Accession Number: 0001773383-24-000076

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We have dedicated substantial resources to prevent and manage cybersecurity risk. We have administrative, technical, and physical security measures in place, as well as policies and procedures to require third parties to whom we transfer data to implement and maintain appropriate security measures. We proactively employ multiple methods at different layers of our systems which are designed to defend against intrusion and attack and protect our data. We also consider the threats and challenges that we and other companies face as cybersecurity attacks grow in frequency and complexity. We have in the past been, and may in the future be, the target and victim of cybersecurity attacks. In general, security incidents have increased in sophistication and have become more prevalent across industries and may occur on our systems, or on the systems of third parties we use to host our solutions or SaaS solutions that we use in the operation of our business, or on those third party hosting platforms on which our customers’ host their systems. Although we have taken significant measures to detect, effectively remediate, and prevent phishing and other attacks and security threats, we cannot be certain that our efforts will be effective to prevent and remediate all attacks and security threats. To date, we do not believe we have experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. See the “Risk Factors” section of this Annual Report for more information on material cybersecurity risks that we face. Risk Management and Strategy Cybersecurity risk management is integrated within our enterprise risk management (“ERM”) program, which identifies, prioritizes as to likelihood and magnitude, and continuously monitors the various short-term and long-term risks that Dynatrace faces and how they are being addressed . In developing our cybersecurity risk management program, we are informed by industry benchmarks and standards, including the cybersecurity framework created by the National Institute of Standards and Technology (“NIST”). We also have various security-related certifications and authorizations, including ISO 27001, SOC 2 Type II, FedRAMP and StateRAMP. We have an Information Security Office that is responsible for preventing, assessing, detecting, mitigating, and remediating cybersecurity risks. The Information Security Office, which is led by our Chief Information Security Officer (“CISO”), works cross-functionally with different business and corporate functions, as all Dynatrace employees are considered critical to our company’s security. Our Information Security Office also partners with external organizations to maintain and enhance our cybersecurity systems and processes. Our Board of Directors and two of its committees are also involved in the oversight of our cybersecurity risk management. We discuss our CISO and the Board in more detail in the “Governance” section below. Risk assessment and management - Our corporate and product security professionals assist in managing cybersecurity systems and in preventing, detecting, assessing, and resolving cybersecurity incidents. We build cybersecurity principles into our product development and system design, we have internal and external penetration testers who test our product platform and corporate systems, and we have a bug bounty program that can incentivize external security researchers who help us identify and fix bugs and vulnerabilities before they are exploited. Our internal audit team and our company’s independent auditors periodically assess the effectiveness of certain of our cybersecurity-related controls. From time to time, we also engage external consultants and advisors to perform independent security testing and assessments and to assist with aspects of our cybersecurity program. We also utilize automated technology that alerts our security team of unusual activity in our corporate systems, product platform, and public-facing systems. As part of our processes, we require applicable internal approvals for changes to security-critical aspects of our product platform and services. Third-party risk management - We assess the cyber risk of potential third-party service vendors, partners, and other service providers. We evaluate third parties before onboarding and periodically afterwards or if we detect a significant change in their cyber risk rating. We also perform security assessments on third-party code libraries before internal use. Incident response planning - We have an incident response plan that sets forth a structured process and approach for how we assess, respond to, and remediate cybersecurity incidents. Under the plan, our CISO, the Information Security Office, and any incident response team that may be formed, work with our legal team, our privacy office, and any other applicable internal teams and external resources to address and communicate about incidents to key stakeholders, including the Board and its Cybersecurity Committee. We review and test the plan from time to time to enhance management and Board preparedness in the event of a potential cybersecurity incident and to identify areas of continuous improvement. Training and education - We require employees and contractors to complete data protection and security awareness training in connection with onboarding and annually thereafter. These trainings cover a wide range of topics, including, but not limited to, ransomware, impersonation attacks, data handling and privacy, fraud, phishing, and identity theft. From time to time, we also require supplemental training depending on an individual’s role or job responsibilities. Our CISO also periodically presents on cybersecurity matters at company-wide meetings and with individual business and corporate functions. Governance Board oversight - Our Board of Directors, as a whole and through its committees, has responsibility for the oversight of our risk management. The Board is responsible to satisfy itself that the risk management processes designed and implemented by management are adequate and functioning as designed. The Board has a standalone Cybersecurity Committee that is responsible for managing oversight of our cybersecurity-related investments, programs, plans, controls, and policies. The Cybersecurity Committee also provides feedback on cybersecurity-related matters, including, but not limited to, strategies, objectives, capabilities, initiatives, and policies. The Cybersecurity Committee meets during the year with the CISO and other members of our executive leadership team. In between meetings, the CISO periodically provides the Cybersecurity Committee with a written report on cybersecurity matters. The Board’s Audit Committee oversees our ERM program, which includes cybersecurity risk management as a focus area. The full Board also receives periodic reports from management on the ERM program. The Chairs of the Cybersecurity Committee and the Audit Committee periodically update the full Board on specific committee-level topics and discussions. This enables the Board and its committees to coordinate the risk oversight role, particularly with respect to risk interrelationships. From time to time, the CISO and other members of our executive leadership team discuss cybersecurity-related matters with the full Board at its scheduled meetings. Outside of scheduled meetings, management also periodically notifies or updates the Cybersecurity Committee or the Board, as appropriate, regarding certain types of cybersecurity incidents and matters. Management’s role - Management is responsible for assessing and managing our material cybersecurity risks, practices and policies on a day-to-day basis. Our CISO, who reports to the Chief Financial Officer, leads the Information Security Office and our cybersecurity program. Our CISO has worked in information technology and cybersecurity roles for more than three decades and has led our program since 2018. As part of his role, our CISO is responsible for communicating and coordinating cybersecurity-related matters with the Board and the Cybersecurity Committee (as discussed above) and our executive leadership team. For example, our CISO collaborates with the Chief Technology Officer and the Chief Legal Officer on cybersecurity measures throughout the organization and the CISO works with the Chief Product Officer in connection with the introduction or updating of security features for the Dynatrace platform and our services. The Information Security Office is comprised of professionals who collectively have significant experience in a wide range of cybersecurity matters, including threat assessment and detection, incident response, and risk management. The Information Security Office works with Dynatrace’s other business and corporate functions and keeps the CISO informed and updated regarding key cybersecurity-related matters in accordance with our internal reporting processes.

Company Information