Palo Alto Networks Inc 10-K Cybersecurity GRC - 2024-09-06

Page last updated on September 6, 2024

Palo Alto Networks Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-06 16:14:01 EDT.

Filings

10-K filed on 2024-09-06

Palo Alto Networks Inc filed a 10-K at 2024-09-06 16:14:01 EDT
Accession Number: 0001327567-24-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a global cybersecurity provider, cybersecurity risk management is an integral part of our overall enterprise risk management program. We recognize the critical importance that a strong cybersecurity risk management program plays in maintaining the trust and confidence of our customers, end users, business partners, stockholders and employees. We have established processes and procedures for identifying, evaluating, and responding to risks from cybersecurity threats, including any potential unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems, data, or information assets. Cybersecurity Risk Management and Strategy Our cybersecurity risk management program includes written policies, standards, and procedures for maintaining data privacy, product security and information security to mitigate cybersecurity risks, and to identify, evaluate and respond to cybersecurity threats, vulnerabilities and incidents. Our cybersecurity risk management program and strategy is implemented across several areas, which include, but are not limited to, the following: - Information Security. We maintain a written information security program, which provides for policies, standards, guidelines, and administrative, technical and physical safeguards that we believe are reasonably designed, in light of the nature, size and complexity of our operations, to protect the resiliency of our operations and the confidentiality, integrity, and availability of our information systems, data, and information assets. The organizational, administrative and technical measures we implement are based on recognized security frameworks established by the National Institute of Standards and Technology, security measures aligned with the ISO/IEC 27000 series of standards, and other generally recognized industry standards. The program is assessed regularly and in light of new and emerging cybersecurity risks. - Technical Safeguards and Product Security. We deploy and maintain a variety of technologies to prevent and detect cybersecurity threats across the network, endpoint and cloud. We also apply security-by-design principles in our software development lifecycle, track vulnerabilities of open-source software, and run internal and external network scans at least weekly and after any meaningful change in our network configuration. We conduct regular application security assessments, including our assessments for internet-facing applications that collect, transmit, or display end user data. We also employ tooling in certain areas to help prevent deviations from policy. - Incident Response and Reporting. We maintain incident response and recovery protocols to enable prompt, effective and orderly identification, evaluation, management, and disposition of actual and potential security threats and incidents, including for purposes of escalation and internal and external-notification steps. We maintain a cross-functional incident response team, including senior representatives from information security, information technology, product, legal, privacy, communications and accounting, that is involved in assessing cybersecurity threats and incidents, assigning severity levels, and evaluating the potential impact, including the potential impact on our business strategy, results of operations and financial condition. This allows for prompt direction of appropriate personnel and resources for incident management and response, and internal notification to appropriate members of management, which may include our chief executive officer, chief product officer, chief information security officer, general counsel, chief financial officer, and/or chief accounting officer, and the security committee of our board of directors (the “Security Committee”). The protocols also establish steps designed to publicly report and/or alert external stakeholders as and when required by applicable law or otherwise determined appropriate. - Third-Party Risk Management. We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by certain third parties, including vendors, service providers, suppliers, operations parties, and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. This includes a security process to conduct due diligence prior to engaging contractors and vendors and assess the security capabilities of subcontractors and vendors on a periodic basis. - Risk and Readiness Assessments. We engage in at least quarterly assessments and testing of the effectiveness of our cybersecurity risk management program and incident response protocols that are designed to identify and evaluate vulnerabilities and weaknesses, address cybersecurity threats and test our readiness to respond to cybersecurity incidents. These efforts include, but are not limited to, threat modeling, vulnerability scans, penetration testing, audits, and tabletop exercises. We regularly engage third parties to perform assessments on our cybersecurity measures, such as audits and independent reviews of our compliance with various security compliance standards, including those established by the American Institute of Certified Public Accountants, operating effectiveness and penetration tests. The results of such assessments are reported to management and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. - Awareness and Training. We provide regular training for educating employees about corporate policies and procedures and information security designed to provide our employees with knowledge of best practices and effective tools for safeguarding our data and assets and reducing security risks based on the human threat vector. Our information security compliance training, data protection training, and code of conduct training is mandatory for all employees. - 37 - Table of Contents - Governance. As discussed in more detail below under the heading, “Cybersecurity Governance,” our board of directors’ has delegated oversight of enterprise security risk management, including, but not limited to, cybersecurity risk management to the Security Committee. As part of our cybersecurity risk management procedures, senior members of management and the Security Committee are informed regarding security events based on established reporting thresholds, and are provided ongoing updates regarding any such meaningful threat or incident. We have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially impacted or are reasonably likely to materially impact us, including our business strategy, results of operations, or financial condition, to date. However, we face ongoing and increasing cybersecurity risks, including from threat actors that are becoming more sophisticated and effective over time, and we can provide no assurance that there will not be incidents in the future or that past or future threats or incidents will not materially affect us, including our business strategy, results of operations, or financial conditions. For additional information regarding these risks, please refer to Part I, Item 1A, “Risk Factors,” in this Form 10-K, including, but not limited to, the risk factor entitled " A network or data security incident may allow unauthorized access to our network or data, harm our reputation, create additional liability, and adversely impact our financial results. " Cybersecurity Governance The Security Committee, which is composed of all of our independent directors, facilitates our board of directors’ responsibility for oversight of security matters, including product security, data security, cybersecurity, security risk management, risk exposure and related controls and enterprise risk management related to these risks. The Security Committee reports regularly to the Board following meetings of the Security Committee with respect to its review and assessment of security matters and other matters that are relevant to the Security Committee’s discharge of its responsibilities. The Security Committee meets quarterly to review with our chief information security officer and other members of management, which may include our chief executive officer, chief product officer, chief financial officer, and general counsel, our cybersecurity programs, cybersecurity risks, mitigation or remediation strategies, and other matters impacting the committee’s responsibilities. Management is responsible for day-to-day risk management activities, including identifying, assessing and managing our exposure to cybersecurity risks, establishing processes and procedures to ensure that potential cybersecurity risk exposures are monitored, implementing appropriate mitigation or remediation measures as needed, and maintaining cybersecurity risk management programs. Our chief information security officer is responsible for defining, overseeing, managing, implementing, and reviewing compliance with the information security programs described above under the heading “Cybersecurity Risk Management and Strategy.” Our chief information security officer receives regular reports from our information security team and monitors the prevention, detection, and mitigation or remediation of cybersecurity risks. In addition, as described in further detail above under the heading “Cybersecurity Risk Management and Strategy,” a cross functional team is involved in assessing and managing the risks from cybersecurity threats and incidents, and reporting information about risks to the Security Committee. Our information security team consists of dedicated personnel who are experienced information systems security professionals and information security managers with many years of experience across a variety of technology sub-specialties. In particular, our chief information security officer has extensive experience in the management of cybersecurity risk management programs, having served in various roles in information technology and security for over 20 years, including having previously served as the chief security officer of two other publicly traded technology companies. In addition, six of the ten members of our board of directors have expertise in overseeing cybersecurity and information security management. - 38 - Table of Contents

Company Information