F5, INC. 10-K Cybersecurity GRC - 2024-11-18

Page last updated on November 18, 2024

F5, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-18 17:30:03 EST.

Filings

10-K filed on 2024-11-18

F5, INC. filed a 10-K at 2024-11-18 17:30:03 EST
Accession Number: 0001048695-24-000185

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize the importance of identifying, assessing, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risks; and reputational risks. Our process for identifying and assessing material risks from cybersecurity threats operates in conjunction with our overall risk management systems and processes, covering all company risks. Our cybersecurity risk management program is led by our Chief Information Security Officer (“CISO”), who manages our security team and is principally responsible for our cybersecurity risk assessment processes, our security controls, and our detection and response to cybersecurity incidents. Our program includes protocols for preventing, monitoring, detecting and responding to cybersecurity events and incidents, and cross-functional coordination and governance of business continuity and disaster recovery plans. Components of our program include: - risk assessments designed to help identify cybersecurity threats to our products and related supportive infrastructure, critical IT systems, information, and our broader enterprise IT environment; - monitoring, detection and collection and analysis of information regarding evolving, ongoing, and emerging threats and vulnerabilities, and corresponding actions to assess and remediate corresponding risks; - regular testing and assessments to identify vulnerabilities; - the periodic engagement of independent security firms and other third-party experts, where appropriate, to assess, test, and certify components of our cybersecurity program, and to otherwise assist with aspects of our cybersecurity processes and controls; - annual cybersecurity awareness training for our employees; - regular assessments of the design and operational effectiveness of the program’s key processes and controls by our internal audit team as well as external consultants; and - a risk management process for third-party service providers and vendors that includes due diligence in the selection process and periodic monitoring regarding adherence to applicable cybersecurity standards. We also have a cybersecurity incident response plan to assess and manage cybersecurity incidents, which includes escalation procedures based on the nature and severity of the incident, including, where appropriate, escalation to the Risk Committee and the Board. We periodically perform tabletop exercises to test our incident response procedures, identify gaps and improvement opportunities, and assess team preparedness. As part of our overall risk mitigation strategy, we maintain insurance coverage that is intended to address certain aspects of cybersecurity risks; however, such insurance may not be sufficient in type or amount to cover us against claims related to cybersecurity breaches, cyberattacks and other related breaches. We periodically review our cybersecurity insurance program. As of the date of this report, we do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations or financial condition. Despite our security measures, however, there can be no assurance that we, or third parties with whom we interact, will not experience a cybersecurity incident in the future that will materially affect us. For more information on our cybersecurity related risks, see Part I, Item 1A. “Risk Factors,” including “Security vulnerabilities or control failures in our IT infrastructure or multicloud application security and delivery products and services as well as unforeseen product errors could have a material adverse impact on our business, results of operations, financial condition and reputation.” Governance Our Board of Directors is actively involved in overseeing risks from cybersecurity threats and is assisted in that oversight by its Risk Committee. The Risk Committee reviews and assesses the Company’s cybersecurity risk exposure and evaluates the adequacy and effectiveness of related risk management processes and policies. As part of the oversight process, the Risk Committee has the following responsibilities, among others: - reviews and advises on our cybersecurity and operational risk strategy, resiliency, crisis and incident management, and security-related information technology planning processes, and reviews strategy and implementation for investing in related systems, controls, and procedures with management; - reviews our compliance with applicable global data protection and security laws and regulations, and the Company’s adoption and implementation of systems, controls and procedures designed to comply with such laws and regulations; - reviews plans for periodic assessments and related findings and remediation of our cybersecurity and operational risk and incident response and disaster recovery programs by outside professionals; - reviews analyses of our cybersecurity and operational risks by management and third parties, as applicable; and - evaluates our disclosure controls and procedures related to cybersecurity to ensure timely and accurate reporting of cybersecurity and operational risks and incidents, as appropriate. The Risk Committee meets at least four times a year and regularly reports to the full Board, including regarding its review and assessment of cybersecurity risk oversight matters and related recommendations. The Board of Directors discusses our programs and policies related to cybersecurity and risk initiatives and considers them closely both from a risk management perspective and as part of F5’s business strategy. The Risk Committee receives periodic updates from our CISO, and other persons the Risk Committee deems appropriate, on a range of cybersecurity matters, including those referenced above as well as on the status of the Company’s cybersecurity posture and risk mitigation efforts. If cyber-related issues arise between Risk Committee meetings that the CISO believes could have a material adverse impact on the Company, the CISO, or another appropriate risk management leader, will report to the Chair of the Risk Committee. At the management level, our CISO leads our enterprise-wide cybersecurity program in partnership with other business leaders, including our General Counsel and Chief Operating Officer. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above. In December 2023, our CISO retired after three years in the position, and a career spanning over twenty-five years as an industry-recognized leader in cybersecurity, information technology, and risk management. Her replacement has served in various roles in information technology, security and risk management for over 15 years, including having previously served as the CISO of two other publicly traded technology companies. In September 2024, our current CISO began transitioning to a new role within the Company, and as a result, we have appointed an interim CISO while we conduct a search for his permanent replacement. Our interim CISO has over 25 years of experience in technology and information security operations across a diverse range of business sectors.

Company Information