BILL Holdings, Inc. 10-K Cybersecurity GRC - 2024-08-23

Page last updated on August 23, 2024

BILL Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-23 16:06:07 EDT.

Filings

10-K filed on 2024-08-23

BILL Holdings, Inc. filed a 10-K at 2024-08-23 16:06:07 EDT
Accession Number: 0001786352-24-000035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our management and board of directors recognize the critical importance of maintaining the trust and confidence of our customers, partners, and employees, including the importance of managing cybersecurity risks, and we have integrated these policies and procedures into our overall risk management systems and processes. While everyone at our company is expected to play a part in managing cybersecurity risks, our board of directors, as discussed in more detail under “-Governance” below, through delegation to the cybersecurity committee of the board of directors (the cybersecurity committee), and key members of our senior management team, are involved in the oversight of our information security program. Our information security program is based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards, and is integrated into our overall enterprise risk management program. We utilize an overarching framework to address enterprise information security governance, which seeks to protect information assets and systems against attacks and incidents while establishing appropriate security as a priority for our information technology infrastructure and throughout the product development process. Our information security team, including a “red team” of dedicated engineers, and certain cross-functional employees routinely assess material risks from cybersecurity threats, and assess and update our cybersecurity risk management program in response to emerging trends and changes in our operations. We also engage third parties, including consultants and auditors, to evaluate the effectiveness of our risk management program, control environment, and cybersecurity practices through security audits, penetration testing, and other engagements. Our information security program is managed by a dedicated Chief Information Security Officer (CISO), who reports to our Chief Technology Officer and oversees a team responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. Our foundational security engineering, governance risk and compliance, product security and security operations teams report into our CISO and provide regular updates on significant or potentially significant threats and incidents. Our CISO has over 20 years of experience in information security, serving in roles of increasing responsibility within several public companies including companies in the cybersecurity and software fields. In addition, our Deputy CISO has nearly 20 years of experience serving in information security roles in healthcare and technology companies. Our information security program includes an incident response program that coordinates activities across multiple teams in responding to cybersecurity incidents in accordance with a defined Incident Management Policy. This program is designed to detect, analyze, and escalate cybersecurity events, and includes a cybersecurity incident response team responsible for containment and recovery activities, and a crisis response team to liaise with business stakeholders, secure priority resources, and validate completion of any post-incident activities. In addition, we have established an executive security risk management committee composed of senior representatives of our legal, finance, information security, product, and marketing teams which meets on a quarterly basis to review our information security program and any noteworthy developments in the quarter. Finally, we coordinate internal simulations of cybersecurity incidents periodically to test the processes we have established. We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. We conduct initial due diligence on the cybersecurity profile of our vendors as they are onboarded and provide continuous monitoring of critical third-party infrastructure and monitor any known breaches of those third-party systems. We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We also provide regular, mandatory training for our personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats and to communicate our evolving information security policies, standards, processes and practices. Although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to affect us, including our 56 business strategy, result of operations or financial condition. If we or our partners were to experience a material cybersecurity incident in the future, such incident may have an adverse effect, including on our business operations, operating results, or financial condition. For more information regarding cybersecurity risks that we face and the related potential impacts on our business, see the risk factor titled “We, our partners, our customers, and others who use our services obtain and process a large amount of sensitive data. Any real or perceived improper or unauthorized use of, disclosure of, or access to such data could harm our reputation as a trusted brand and adversely affect our business, operating results, and financial condition.” Governance In light of the critical importance of cybersecurity to our business, in the spring of 2023, our board of directors formed a standing cybersecurity committee. The cybersecurity committee meets quarterly and is responsible for reviewing with management our cybersecurity and other information technology risks, controls and processes, including the processes used to prevent or mitigate cybersecurity risks and respond to cybersecurity events. These reports include updates on our information security risks and threats, any notable incidents, escalations or third-party risks, the status of projects to strengthen our information security systems, assessments of the information security program, the emerging threat landscape and company security culture. The CISO provides reports at least quarterly to the cybersecurity committee as well as to our Chief Executive Officer, Chief Technology Officer, and other members of our senior management, as appropriate. The cybersecurity committee also receives quarterly updates from our legal department and third-party experts. Our cybersecurity committee provides regular updates to the board of directors on such reports, and coordinates with the audit committee of the board of directors with respect to any risks with implications for our financial reporting, accounting, internal controls or other matters presenting significant financial risk. Our information security program is regularly evaluated by internal and external parties with the results of certain reviews reported to senior management and the cybersecurity committee. We also actively engage with key vendors and industry participants as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. Our cybersecurity committee will also receive prompt and timely information regarding any material cybersecurity threats or incidents, as well as ongoing updates regarding any such threat or incident until it has been mitigated, resolved, or otherwise addressed. To mitigate the impact of any cybersecurity incidents, we maintain cybersecurity insurance in amounts that we believe are appropriate of our business, which provides coverage for such incidents.

Company Information