Elastic N.V. 10-K Cybersecurity GRC - 2024-06-14

Page last updated on July 16, 2024

Elastic N.V. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-14 16:10:20 EDT.

Filings

10-K filed on 2024-06-14

Elastic N.V. filed a 10-K at 2024-06-14 16:10:20 EDT
Accession Number: 0001707753-24-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We face rapidly evolving and sophisticated threats of breaches of our systems and networks as well as those of our suppliers and third-party service providers. To mitigate this threat to our business, we take a comprehensive approach to cybersecurity and expend considerable resources on cybersecurity risk management, strategy, and governance. Risk Management and Strategy We integrate our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats into our enterprise risk management program based on recognized frameworks and applicable standards. Our cybersecurity program encompasses the key elements described below: Collaboration . We employ a cross-functional, risk-based approach to identify and address anticipated and real-time threats to our cybersecurity. Our internal security, risk, and compliance personnel meet regularly to develop strategies for preserving the confidentiality, integrity and availability of corporate, customer, and other third-party information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents, if applicable, can be made in a timely manner. Risk Assessment . At least annually, we conduct a cybersecurity risk assessment that takes into account information from our internal security, risk, and compliance functions, known information security vulnerabilities, and information from external sources, including reported security incidents that have affected other companies, industry trends, and evaluations by third parties and consultants. We also conduct risk-based cybersecurity tabletop exercises periodically to test our internal readiness and response planning. Incident Response and Recovery Planning . Our cybersecurity program includes a dedicated cybersecurity function led by our Chief Information Security Officer (“CISO”). As part of our cybersecurity function, our Distributed Security Incident Response Team (“DSRT”) administers a program to monitor, detect, investigate, respond to, and escalate management of internal and external cybersecurity threats and incidents. The DSRT provides threat intelligence information from internal and external resources to our CISO, broader security and resiliency organization, and relevant business units and functional areas as one source within our risk assessment process. Our cybersecurity function partners closely with our Data Privacy organization, led by the Business Integrity Officer, and others within the Legal organization to ensure prompt response on data breach and any other regulatory notification requirements. We have incident response and recovery plans that we test and evaluate for effectiveness in accordance with industry standards. Third-Party Risk Managemen t. We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of certain third-party service providers. These providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in the risk assessments, including information supplied by providers and third parties. In addition, we require these providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers. External Assessments . Our cybersecurity program is regularly assessed by consultants and third-party auditors. These assessments include information security maturity evaluations, audits, and independent reviews of our information security control environment and operating effectiveness. The results of significant assessments are reported to management, our board of directors, and our Audit Committee. We adjust our cybersecurity processes based on these results. We have obtained industry certifications and attestations that demonstrate our dedication to protecting the data our customers entrust to us. Information about such certifications can be found on our website. Governance Board Oversight . Our board of directors oversees the Company’s risk management process. It has delegated to our Audit Committee the primary responsibility for executing oversight of our cybersecurity risk management processes. In performing this role, the Audit Committee receives regular reports from our CISO and other members of management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. The Audit Committee also considers regular updates from management on our cybersecurity risk profile based on risk assessments, progress of risk reduction initiatives, third-party auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents. The Audit Committee reports quarterly to our board of directors regarding the Audit Committee’s activities in overseeing cybersecurity risk management. Management’s Role . Our cybersecurity program efforts are directed by our CISO who, with the support of the chief operating officer, the chief product officer, and the chief legal officer, has the primary responsibility for assessing and managing material cybersecurity risks. The CISO along with these members of our management, acting as a group, drive alignment on security decisions across the Company. The CISO and various members of this group meet quarterly with the Audit Committee to review security performance metrics, identify security risks and review mitigation strategies, and assess the status of approved security enhancements. Our CISO has served in various roles in information technology, information security and risk management for over 27 years, including serving as the Information Security Officer and Chief Security Officer of multiple companies. Although our “Risk Factors” section in this report presents information about the material cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. Notwithstanding our investment in cybersecurity, we may not be successful in identifying a cybersecurity risk or preventing or mitigating a cybersecurity incident or product security vulnerability that could have a material adverse effect on our business, results of operations, or financial condition. Although we maintain cybersecurity insurance, the costs related to cybersecurity incidents may not be fully insured. For a discussion of cybersecurity risks affecting our business, see “Item 1A-Risk Factors-Risks Related to our Business and Industry-If we experience a security incident, or unauthorized access to or other unauthorized processing of confidential information, including personal data, otherwise occurs, our software may be perceived as not being secure, customers may reduce the use of or stop using our products, and we may incur significant liabilities.”

Company Information