GoDaddy Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

GoDaddy Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:55:56 EST.

Filings

10-K filed on 2025-02-20

GoDaddy Inc. filed a 10-K at 2025-02-20 16:55:56 EST
Accession Number: 0001609711-25-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity GoDaddy maintains an enterprise-wide cybersecurity program designed to manage cybersecurity risk. Board and Audit and Finance Committee Governance Our board of directors (the Board) manages cybersecurity risks as part of the company’s overall risk management framework. The Board oversees the company’s cybersecurity risk management program through the Board’s Audit and Finance Committee (the Audit Committee). The Audit Committee receives verbal and written reports at least quarterly from GoDaddy’s Chief Information Security Officer (CISO) regarding our company’s cybersecurity risk management program and cybersecurity-related risks. The Audit Committee consists of Board members with diverse expertise in risk management, technology, finance and cybersecurity, including oversight of security teams. Our CISO provides the full Board with written quarterly and annual reports on our cybersecurity program and material cybersecurity-related risks, and the chair of the Audit Committee provides a quarterly summary of the Audit Committee’s cybersecurity discussion to the full Board . Management of Cybersecurity Risk Our senior management is responsible for identifying, assessing, and managing the company’s material cybersecurity risks. Our CISO oversees our programs for identifying, assessing, and managing our cybersecurity risks. Our CISO reports to our Chief Operating Officer (COO) and regularly provides updates to our CEO on significant cybersecurity-related matters. Our CISO also provides written monthly and quarterly reports on our cybersecurity program and risks to the CEO, Chief Technology Officer, and other key executives. Our CISO has more than 19 years’ experience in cybersecurity, networking, and related technologies. Our CEO has more than 28 years’ experience in e-commerce technology, engineering, and other related areas. Our CISO works with an enterprise-wide cybersecurity team that provides 24/7/365 support. Our cybersecurity policies, procedures, and strategies primarily are implemented by our information security department. Other personnel and departments in the company also assist with cybersecurity risk management, including but not limited to our technology organization and our privacy, legal, vendor risk management, and corporate audit services teams. We have also developed processes to integrate cybersecurity risk management within the company’s product and software development processes. In addition, product teams and business unit leaders are involved in product-related cybersecurity risk management. Third-Party Consultants and Auditors We use uses third-party auditors and consultants in connection with obtaining and maintaining industry certifications for certain products and services. We also have engaged third-party consultants in the past and may engage third-party consultants in the future for specific projects and engagements, such as responding to cybersecurity incidents. Our third-party financial auditors also include material cybersecurity risks and events as part of their financial audits. Third-Party Cybersecurity Risk Management We engage with third parties to provide us with hardware, software, and services to operate our information systems and run our business. We also rely on third parties to provide hardware, software, and services relating to our cybersecurity program. When engaging a third-party vendor or service provider, we use a variety of processes and controls to identify and oversee risks relating to that engagement, which may include one or more of the following: - including provisions in vendor contracts that set minimum cybersecurity requirements; - installing monitoring software to detect malicious software and activities in third party systems; - monitoring for and applying patches to third-party hardware and software to address vulnerabilities; and - performing security assessments before engaging new vendors or acquiring new hardware and software. Despite our efforts, our control over and ability to monitor the security of third parties is limited and there can be no assurance that we can prevent, mitigate or remediate the risk of any compromise or failure in the security infrastructure owned or controlled by third parties. Additionally, any contractual protections with such third parties may be limited or insufficient to prevent a negative impact on our business from such compromise or failure. Cybersecurity Threat Monitoring and Incident Response We monitor for threats to our information systems through a combination of automated intrusion detection monitoring solutions, review of log data, and other activities. We require security training for all company personnel, including instructions regarding the proper methods for reporting potential cybersecurity incidents. We also provide mechanisms for interested third parties, including security researchers and law enforcement, to provide notice of potential cybersecurity threats. In addition, we monitor third-party sources for notice of cybersecurity incidents that may affect company vendors and other parties with whom we do business. Potential and actual cybersecurity incidents are primarily handled by our internal incident response team, which is supervised by our CISO. Our incident response team is responsible for assessing the potential risk posed by an incident, providing notice to appropriate stakeholders in the company based on the perceived risk, and coordinating the assessment, containment, mitigation, and remediation efforts. Depending on the severity and scope of the incident, we also may engage external consultants. Security personnel and consultants retained by our service providers also may be involved in cases where our vendors experience a cybersecurity incident. We have processes for escalating an incident to determine whether it is material and requires notification required under applicable laws, rules and regulations.

Company Information