MICROSTRATEGY Inc 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

MICROSTRATEGY Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 08:00:38 EST.

Filings

10-K filed on 2025-02-18

MICROSTRATEGY Inc filed a 10-K at 2025-02-18 08:00:38 EST
Accession Number: 0000950170-25-021814

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As part of our cybersecurity risk management framework, we have implemented comprehensive Corporate Incident Response Plans (IRPs) and other policies and procedures designed to ensure the assessment, identification, and management of material risks from cybersecurity threats, and to facilitate timely disclosure of material cybersecurity incidents in accordance with SEC rules. Our policies provide for cybersecurity awareness training for employees and engagement in due diligence processes in accordance with industry best practices for third-party vendors, including those handling critical services or sensitive data on our behalf. Our policies also provide for regular, senior management-led table-top exercises simulating cyberattack scenarios to ensure preparedness and response agility. We undertake an annual review of our policies to help ensure their effectiveness and relevance in light of evolving cybersecurity threats. Additionally, we maintain cyber insurance to help cover costs associated with the occurrence of certain cybersecurity events. We do not currently engage any other third parties as part of our cybersecurity risk management framework, but we do use third party services and products in the ordinary course with respect to certain common cybersecurity threats. Our IRPs, which are tailored to address potential cybersecurity threats in both our product and corporate infrastructure technology environments, are designed to provide a comprehensive, structured response to cybersecurity incidents, and apply to all Strategy personnel, including employees, directors, temporary staff, and contractors. In accordance with our IRPs, we train our personnel to report any cybersecurity incidents to our Information Security Team (IST). Upon identification of a cybersecurity incident, the IRPs mandate that the IST conduct an immediate evaluation and assign a severity rating to the incident and, depending on the severity, report the incident to our Chief Information Security Officer (CISO) . Based on the severity of the incident, a Security Incident Response Team (SIRT), the members of which include our Chief Technology Officer (CTO), the CISO, and personnel from various departments, 43 including legal, is convened. The SIRT, with assistance from the IST, is tasked with executing a timely and effective response to the incident, and SIRT members are assigned specific roles and responsibilities, including assessment of the incident’s materiality for disclosure purposes . Our CTO and CISO oversee our cybersecurity preparedness. Our CTO has over 25 years of experience in the technology sector, including specifically in the cybersecurity industry, and held various leadership positions prior to joining Strategy in 2018. Our CISO, who joined Strategy as CISO in 2021, has over 20 years of experience with cybersecurity and privacy, and has experience with IT infrastructure technologies, including cloud, network, server, endpoint, and mobile technologies. Our CISO holds a master’s degree in computer science and multiple industry-recognized cybersecurity certifications. The IST operates under our CISO’s leadership, who in turn reports to our CTO . We administer our cybersecurity risk management framework separately from our other risk management systems and processes, under the oversight of the audit committee of our board of directors and senior management. Strategy’s management, including our CTO and CISO, provides the audit committee with regular updates on cybersecurity incidents and emerging threats. The audit committee actively engages with management on the development and implementation of cybersecurity policies and practices, offering insights and guidance . Additionally, board members with significant experience in software technology, such as Michael J. Saylor and Leslie J. Rechan, each with over 30 years of software industry experience, and Phong Le, our Chief Executive Officer, contribute their expertise to our cybersecurity risk management. Unauthorized parties have attempted, and we expect that they will continue to attempt, to gain access to our systems and facilities, as well as those of our third-party vendors, through various means, such as hacking, social engineering, phishing, and fraud. However, the Company does not believe that there are currently any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. See “Item 1A. Risk Factors - Risks Related to Our Bitcoin Strategy and Holdings - If we or our third-party service providers experience a security breach or cyberattack and unauthorized parties obtain access to our bitcoin, or if our private keys are lost or destroyed, or other similar circumstances or events occur, we may lose some or all of our bitcoin and our financial condition and results of operations could be materially adversely affected” and “Item 1A. Risk Factors - Risks Related to Our Operations - If we or our third-party service providers experience a disruption due to a cybersecurity attack or security breach and unauthorized parties obtain access to our customers’, prospects’, vendors’, or channel partners’ data, our data, our networks or other systems, or the cloud environments we manage, our offerings may be perceived as not being secure, our reputation may be harmed, demand for our offerings may be reduced, our operations may be disrupted, we may incur significant legal and financial liabilities, and our business could be materially adversely affected.”

Company Information