NetApp, Inc. 10-K Cybersecurity GRC - 2024-06-10

Page last updated on July 16, 2024

NetApp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-10 16:27:03 EDT.

Filings

10-K filed on 2024-06-10

NetApp, Inc. filed a 10-K at 2024-06-10 16:27:03 EDT
Accession Number: 0000950170-24-071327

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company regularly assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities, and tests those systems pursuant to the Company’s cybersecurity policies, standards, processes and practices, which are integrated into the Company’s overall risk management system. To protect the Company’s information systems from cybersecurity threats, the Company uses various security technologies and tools that help the Company identify, escalate, investigate, manage, resolve and recover from security incidents in a timely manner. These efforts include: - ongoing collection of threat intelligence and environment awareness through monitoring, - data protection management and vulnerability monitoring through data loss prevention and exfiltration tools, - cybersecurity risk management processes and practices, - control assurance, - secure development of new products, - identity and access management, - incident response, auditing and monitoring, and - maintaining a 24x7 security operations center to allow for always available incident response. The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents. In particular, the Company follows an incident escalation process that is incorporated into our incident and risk management processes. In the event we identify a cybersecurity incident, our senior management, consisting of the Chief Financial Officer, Chief Security Officer (CSO), and Chief Legal Officer, review the facts and circumstances involved in such cybersecurity incident, or series of related cybersecurity incidents. The Company partners with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes, including third-party review of the Company’s Information Security Management System for ISO 27001 controls, assessment of the Company’s cloud products and managed services according to the American Institute of CPAs (AICPA) Service Organization Control (SOC) Audit Type II, and new product validation as part of the Company’s secure development lifecycle. The Company additionally engages third-party providers in support of endpoint detection and responses, data loss prevention efforts, and incident management efforts. To date, the Company is not aware of cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For additional discussion of cybersecurity risks and potential related impacts on the Company, refer to the risk factors in Part I, Item 1A. “Risk Factors,” including “If a material cybersecurity or other security breach impacts our services or occurs on our systems, within our supply chain, or on our end-user customer systems, or if stored data is improperly accessed, customers may reduce or cease using our solutions, our reputation may be harmed and we may incur significant liabilities.” Governance Our Board of Directors oversees the Company’s risk management process, including cybersecurity risks, directly and through its committees. The Audit Committee of the Board of Directors oversees the Company’s risk management program, which focuses on the most significant risks the Company faces in the short-, intermediate-, and long-term timeframes. The Company’s CSO regularly updates each of the Board of Directors and the Audit Committee at least twice a year. Such updates include a review of cybersecurity risks affecting the company, related metrics, and any incidents or issues that require attention from the Board of Directors. The CSO provides leadership, strategic direction, and oversight for NetApp’s Global Security Risk and Compliance functions and security program. Global Security executives oversee management of risks and track projects progress, remediations, and any issues related to cybersecurity risks. NetApp’s CSO, in coordination with the Chief Information Security Officer (CISO) is responsible for leading the assessment and management of cybersecurity risks. The current CSO and CISO each have over 30 years of experience in IT and information security. 30 The CSO and CISO stay informed on information security risks through regular meetings on key cybersecurity projects and KPIs. Updates are communicated to the Global Security Steering Committee, which provides quarterly reports to the Board of Directors and to the Audit Committee.

Company Information