Nutanix, Inc. 10-K Cybersecurity GRC - 2024-09-19

Page last updated on September 19, 2024

Nutanix, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-19 16:59:17 EDT.

Filings

10-K filed on 2024-09-19

Nutanix, Inc. filed a 10-K at 2024-09-19 16:59:17 EDT
Accession Number: 0000950170-24-108159

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity is an important component of our overall enterprise risk management strategy. We are committed to protecting our information systems and data from a wide range of cybersecurity threats, including operational risks, intellectual property theft, fraud, extortion, privacy violations, legal risks, and reputational damage. Our approach integrates comprehensive processes and technologies designed to identify, assess, and mitigate these risks. Risk Management and Strategy - Enterprise Risk Management Integration: Our cybersecurity program is integrated into our broader enterprise risk management program (“ERM”). This integration is designed to ensure that cybersecurity risks are evaluated alongside other risks to the organization. Our ERM framework is periodically refreshed and involves collaboration with subject matter experts to assess the severity of potential cybersecurity threats and develop appropriate mitigation strategies. - Advanced Cybersecurity Processes: We employ a multi-faceted approach to cybersecurity: - Security and Privacy Reviews: Regular reviews of new features, software, and vendors help us work to identify and address potential risks before they impact our systems. - Security Development Lifecycle: Our internal software development lifecycle process is designed to build our products in part relying upon industry-standard practices and third-party tools and services to test our code and bundled third-party libraries for known security misconfigurations and errors. - Vulnerability Management: We operate a robust vulnerability management program designed to identify and address hardware and software vulnerabilities proactively. - Network and System Monitoring: Our systems are monitored using a range of tools designed to detect suspicious activities and potential breaches in real time. - Threat Intelligence Program: Our threat intelligence program models and researches potential adversaries, enhancing our preparedness against emerging threats. - Training and Simulations: We regularly conduct training and simulations designed to ensure our teams are prepared for a variety of cybersecurity scenarios. - Security Ecosystem: We routinely and regularly engage with consultants, assessors, auditors, and other expert third parties to help us in our understanding, discovery, and response to risks based on their growing impact or likelihood. - Frameworks and Standards: Our cybersecurity practices are designed with reference to industry-standard frameworks, including those from the International Organization for Standardization and the National Institute of Standards and Technology and other internationally recognized standards, which can be found here: https://www.nutanix.com/trust/compliance-and-certifications, which link is included as an inactive reference and the content of which is not incorporated by reference into this Annual Report on Form 10-K. We continually work to improve our security controls based on these standards and industry best practices. - Incident Response and Recovery: We have established a comprehensive Privacy and Cybersecurity Incident Response Program to manage and respond to cybersecurity incidents. This program includes processes for triaging, assessing, escalating, containing, investigating, and remediating incidents. We also maintain procedures to comply with legal obligations and mitigate reputational damage. Regular tabletop exercises help us test and strengthen our incident response capabilities. - Vendor Risk Management: Our vendor risk management program is designed to mitigate risks associated with third-party service providers. This program includes pre-engagement diligence, contractual security provisions, and ongoing monitoring of third-party compliance with our security requirements. We also have an external bug bounty program to identify and address vulnerabilities before they can be exploited. Information on the cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors.” We believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition. However, we remain subject to risks from unknown or future cybersecurity threats that could materially affect us, including our business strategy, results of operations or financial condition. We remain vigilant and continue to invest in security technologies and practices to safeguard our systems. Governance - Board and Committee Oversight: Our Board of Directors (our “Board”) plays an active role in overseeing cybersecurity risks. Our Board’s Security and Privacy Committee, which is composed entirely of independent directors, assists our Board in its oversight of our management of technology and information security risks and compliance with data protection and privacy laws. This committee regularly reviews our cybersecurity programs and policies as part of our overall risk management and business strategy discussions, and receives regular updates from management on our data security posture, third-party assessments, and progress toward risk-mitigation goals. The committee also reviews incident response plans and any significant cybersecurity threats or incidents. Our Board’s Security and Privacy Committee reports quarterly to our Board regarding its activities in overseeing cybersecurity risk management. - Management’s Role: Our Chief Information Security Officer (“CISO”) leads our global cybersecurity program, overseeing risk identification, evaluation, and response to material security incidents. The CISO partners with a cross-functional leadership team including the Chief Product Security Officer (“CPSO”), Chief Information Officer (“CIO”), and Legal and Privacy Counsel, to develop and implement our overall cybersecurity strategy. This team contributes to the development of policies, monitors evolving risks, manages the overall cybersecurity and privacy programs, and reports on these and related topics to our Board’s Security and Privacy Committee. Our CISO has served in various roles in information technology and information security for over 25 years, including previously serving as Chief Information Security Officer at two other companies. He holds an undergraduate degree in computer science. Our CPSO spent most of the first two decades of his career with the U.S. Department of Defense, where he held various roles in information technology and other high-governance technology-driven positions. Over the past ten years, he has built security programs with Nutanix, which has culminated in his current role. He holds an undergraduate degree in computer information systems. - Incident Management: Our Enterprise and Product Security Team manages our incident response efforts. This team assesses incidents’ severity, coordinates the response, and communicates with relevant stakeholders. Our Security and Privacy Management Team, including, as appropriate, our CISO, CIO, and CPSO, provides additional expertise and support as needed.

Company Information