C3.ai, Inc. 10-K Cybersecurity GRC - 2024-06-18

Page last updated on July 16, 2024

C3.ai, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-18 16:14:50 EDT.

Filings

10-K filed on 2024-06-18

C3.ai, Inc. filed a 10-K at 2024-06-18 16:14:50 EDT
Accession Number: 0001628280-24-028786

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Mitigation Strategies As part of our commitment to safeguarding our assets and maintaining the integrity of our operations, C3 AI has established a comprehensive cybersecurity risk management program. This program is designed to identify, assess, and mitigate cybersecurity risks that could potentially impact our business operations, customers, and stakeholders. C3 AI employs a multi-layered approach to identify and assess cybersecurity threats. This includes: - Regular vulnerability scanning: We conduct internal and external vulnerability scans of our systems and applications to identify potential weaknesses that attackers could exploit. - Penetration testing: We engage independent security professionals to conduct simulated cyberattacks on our systems to assess the effectiveness of our security controls. - Threat intelligence monitoring: We subscribe to threat intelligence feeds that provide us with real-time information about the latest cyber threats and vulnerabilities. - Risk assessment framework: We utilize a risk assessment framework to categorize identified threats based on likelihood and potential impact on our business operations, financial stability, and reputation. This framework includes third-party vendor risk assessment to manage cybersecurity risks associated with our use of these providers. The third-party vendor risk assessment framework includes the following: ◦ Perform due diligence of the vendors’ standards, including reviewing security policies, certifications, and third-party attestation and past security incidents. ◦ Request vendors to complete security questionnaires and provide any security and vulnerability scans. ◦ Define security expectations within the vendor contract including data security obligations, access controls, incident reporting procedures, security assessment calls if necessary and review of incident response plan, business continuity and disaster recovery plan. - Network security: Firewalls, intrusion detection/prevention systems (IDS/IPS), and data loss prevention (DLP) solutions are deployed to monitor and filter network traffic. - Endpoint security: Antivirus, anti-malware, and Mobile Device Management solutions are implemented on all company devices. - Access controls: User access controls are implemented to restrict access to sensitive data and systems based on the principle of least privilege. - Data security: Encryption solutions are used to protect sensitive data both at rest and in transit. - Security awareness and training: We provide regular security awareness training to all employees to educate them on cybersecurity best practices and phishing attempts. For a description of the risks from cybersecurity threats that may materially affect us, see the section titled “Risk Factors” contained in Part I, Item 1A of this Annual Report on Form 10-K. Cybersecurity risk management is integrated with our overall enterprise risk management framework. Identified cybersecurity risks are reported through established channels to relevant stakeholders, including senior management and the Board of Directors. Mitigation strategies are prioritized and incorporated into the overall risk management plan. We continuously identify and evaluate potential cybersecurity threats. While the nature of cyber threats makes it impossible to predict all future incidents, some currently identified material cybersecurity risks include: - Ransomware attacks that could disrupt business operations and lead to data breaches. - Phishing attacks that could compromise employee credentials and provide unauthorized access to sensitive data. - Supply chain attacks targeting third-party vendors with access to our systems or data. Governance Management is responsible for the overall implementation and effectiveness of the cybersecurity program. This includes allocating resources, establishing policies, and ensuring employee adherence to security practices. The VP of Information Security leads the cybersecurity team and reports directly to the VP of Cloud Infrastructure. The Audit Committee of the Board of Directors has specific oversight responsibilities related to cybersecurity, including review of security controls and incident response plans. Management provides updates to the Audit Committee on cybersecurity risks and the effectiveness of our cybersecurity program. Our commitment to security is evidenced by our certifications under ISO 27001, ISO 27017, SOC 2 Type II, HIPAA, NIST 800-171 and FedRamp Additionally, we subject our standards-based certifications to annual audits by third parties and have successfully undergone examinations such as the Health Insurance Portability and Accountability Act (HIPAA), validated by qualified third-party assessors. There were no material cybersecurity incidents experienced by C3 AI during the fiscal year ended April 30, 2024.

Company Information