Autodesk, Inc. 10-K Cybersecurity GRC - 2024-06-10

Page last updated on July 16, 2024

Autodesk, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-10 16:16:30 EDT.

Filings

10-K filed on 2024-06-10

Autodesk, Inc. filed a 10-K at 2024-06-10 16:16:30 EDT
Accession Number: 0000769397-24-000090

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Autodesk has established policies and processes for assessing, treating, and managing material risk from cybersecurity threats based on relevant industry standards. These policies and processes are reviewed and updated at least annually. We have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may adversely affect the confidentiality, integrity, or availability of our information systems or any information residing therein. We conduct risk assessments, penetration tests, and other security assessments to identify cybersecurity threats regularly, and in the event of a material change in our business practices that may affect information systems potentially vulnerable to such cybersecurity threats. These assessments include the identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Risks are then assigned to the appropriate owners for tracking and mitigation. Following these assessments, we re-design, implement, and maintain reasonable safeguards, when appropriate, to minimize identified risks; reasonably address any identified gaps in existing safeguards; and continually monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our Chief Trust Officer, who reports to our Chief Technology Officer, to manage the risk assessment and mitigation processes. As part of our overall risk management system, we monitor and test our safeguards. We train our workforce on these safeguards. Personnel at all levels and departments are made aware of our cybersecurity policies through required trainings. Cybersecurity tabletop exercises are regularly conducted for our executives and for incident response professionals. Improvements identified at these tabletop exercises are implemented into our processes. We engage assessors, consultants, and auditors in connection with our risk assessment processes. These outside advisors assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We require Autodesk’s third-party service providers and suppliers to implement and maintain appropriate security measures consistent with applicable laws in connection with their work with us and to promptly report any suspected breach of their security measures that may affect our Company. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K, including the risk factors entitled “Risks Relating to Our Operations”. Governance One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure. The board’s Audit Committee oversees the management of cybersecurity risks relating to financial, accounting, and internal control matters. The full board receives regular updates from our senior management and outside advisors regarding cybersecurity risks Autodesk faces. Our Enterprise Risk Management function is responsible for identifying, prioritizing, and mitigating risks that could limit Autodesk’s achievement of its strategic and operational priorities. Our executive officers are responsible for the day-to-day assessment and management of these risks. Our Chief Trust Officer is responsible for assessing and managing material risks from cybersecurity threats. Our Chief Trust Officer has more than twenty years of cybersecurity leadership experience, including serving in similar roles leading cybersecurity programs at other public companies. Our Chief Trust Officer oversees our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The processes by which our Chief Trust Officer is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents include the following: leading Autodesk’s Trust program which implements data protection measures and processes across the organization; strategic planning of the company’s cybersecurity initiatives and objectives; cybersecurity risk mitigation efforts; managing tools and processes that support security incident monitoring and alerting; overseeing security incident response planning; managing exercises that test management’s response plans and procedures; and managing our response to suspected or actual security incidents. Our Chief Trust Officer provides quarterly briefings to the Audit Committee regarding our cybersecurity risks and state of our Trust program, including recent cybersecurity incidents and related responses, cybersecurity systems testing, and data protection initiatives and metrics. Our Audit Committee regularly updates the board of directors on such reports. In addition, our Chief Trust Officer provides briefings on cybersecurity risks and activities to the board of directors at least annually. Our Chief Trust Officer may also brief the board of directors regarding significant cybersecurity incidents.

Company Information