APPFOLIO INC 10-K Cybersecurity GRC - 2025-02-06

Page last updated on February 6, 2025

APPFOLIO INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-06 16:27:00 EST.

Filings

10-K filed on 2025-02-06

APPFOLIO INC filed a 10-K at 2025-02-06 16:27:00 EST
Accession Number: 0001433195-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity and Risk Management Strategy Our business involves the storage and transmission of a significant amount of confidential and sensitive information. As a result, we take the confidentiality, integrity, and availability of such information seriously and invest significant time, effort, and resources into protecting such information. Our cybersecurity risk management strategy is designed with the foregoing principles in mind and prioritizes detecting and responding to threats and effective management of security risks. To implement our cybersecurity risk management strategy, we maintain comprehensive processes and safeguards to secure the data we hold and to assess, identify and manage material risks from cybersecurity threats, including: - encrypting sensitive data, utilizing a robust 24/7/365 security monitoring system; - regularly assessing product features for security vulnerabilities; - periodically conducting internal penetration tests; and - providing our customers with multi-factor authentication options to help them effectively protect their information. We also maintain data and cybersecurity protection and control policies to facilitate a secure environment for sensitive information and to ensure the availability of critical data and systems. We have processes in place to assess, identify and manage vendor cybersecurity risks, which include initial and periodic security program reviews and, in cases where personal information is shared, ongoing cybersecurity and privacy obligations that are documented in data processing agreements. Our cybersecurity policies, standards, and processes are informed by a variety of industry standards and best practices, including the NIST Cybersecurity Framework and ISO 27001. We engage independent third parties to audit our adherence to our cybersecurity policies and conduct infrastructure and application security assessments and penetration testing. These third parties help us assess our internal preparedness, adherence to best practices and industry standards, and compliance with applicable laws and regulations as well as help us to identify areas for continued focus and improvement. We conduct annual information security awareness training for employees involved in the systems or processes connected to confidential and sensitive information. We also carry insurance that provides certain, limited protection against potential losses arising from a cybersecurity incident. Cybersecurity Governance The Risk and Compliance Oversight Committee of our Board of Directors (the “RCOC”) is responsible for overseeing and reviewing AppFolio’s cybersecurity program and cybersecurity risk exposure and the steps taken to monitor and mitigate such exposure. The RCOC updates the full Board of Directors on cybersecurity matters as appropriate. 20 Our information security team is led by our Chief Information Security Officer (“CISO”), who has served in the role since 2015 and has experience in application security, intrusion detection, penetration testing, complex threat modeling, and unconventional cyber-attack vectors. The CISO oversees a team of information security professionals who are devoted full time to assessing, identifying and managing cybersecurity threats on a day-to-day basis. The CISO attends each quarterly meeting of the RCOC to brief members on information security matters and discuss cybersecurity risks generally. In addition, our management team has established an Enterprise Risk Management Program (the “ERM Program”), which includes processes designed to assess, identify, manage, categorize, and monitor key current and evolving risks facing AppFolio, including cybersecurity risks. Management is made aware of current and evolving cybersecurity risks through ERM Program reporting and periodic updates at weekly executive leadership team meetings. In the event of a material or potentially material cybersecurity incident, senior members of management are promptly informed of such incident and oversee response and disclosure efforts pursuant to the terms of a documented incident response plan. Notwithstanding the foregoing efforts, there can be no assurance that our cybersecurity risk management program will entirely eliminate all risks from cybersecurity threats or incidents. Like many other businesses, we have experienced, and expect to continually be subject to, cyber-attacks. While these past cyber-attacks have not materially affected and, in our belief, are not reasonably likely to materially affect us, future cybersecurity incidents and threats may materially affect us, including by affecting our business strategy, results of operations, or financial condition. See Item 1A., " Risk Factors " for additional details regarding cybersecurity risks.

Company Information