SailPoint, Inc. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

SailPoint, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 16:23:58 EDT.

Filings

10-K filed on 2025-03-27

SailPoint, Inc. filed a 10-K at 2025-03-27 16:23:58 EDT
Accession Number: 0002030781-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We view managing cybersecurity risk as imperative to protecting the confidentiality, integrity, availability, and resiliency of the information and systems we use to achieve our strategic business goals and satisfy our customers and partners. To that end, we have developed a formal cybersecurity risk management program that is integrated into our broader enterprise risk processes in an effort to protect our applications, networks, and systems from risks from cybersecurity threats. We use elements of the NIST Cybersecurity Framework and other recognized industry standards to inform and guide the design of this program, though we do not purport to meet any particular technical standards, specifications, or requirements of NIST. We engage with multiple teams across the business, including IT, Product, Engineering, DevOps, Legal, Human Resources, Compliance, and Sales, in an effort to address all aspects and phases of the cybersecurity risk lifecycle, including identification, assessment, treatment, monitoring, and reporting. We also engage with external independent partners on a regular basis to assess the maturity of our cybersecurity risk management program and to recommend improvements thereto, including with respect to third-party risk. We also conduct annual audits and control testing to evaluate the efficiency of our controls across the organization. Key features of our cybersecurity risk management program include: - A dedicated team of risk analysts who manage the program and associated activities, such as risk assessments, risk lifecycle management, control assessments, and risk reporting. - Risk assessments that are conducted by the risk team on a regular basis, which sometimes include emerging topics addressed through targeted risk assessments. - Security incident response policies and procedures to investigate and respond to security incidents, including procedures to assess the threat of relevant vulnerabilities or security incidents, and to establish remediation and mitigation actions for events. - Security awareness training campaigns assigned to our users at least twice a year covering a multitude of security and privacy topics. - Management of third-party risk, including conducting cybersecurity assessments of vendors before onboarding them, followed by ongoing monitoring for compliance with standards. We have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We nevertheless face ongoing risks from cybersecurity threats that, if realized, could affect us, including our operations, business strategy, results of operations, or financial condition. See Part I, Item 1A, “Risk Factors” in this Annual Report for additional information regarding potential cybersecurity risks, particularly the risk factor titled “Cyber attacks or other cybersecurity breaches, incidents, or disruptions with respect to our networks, systems, or applications, including unauthorized access to, or disclosure or other processing of, our proprietary, confidential, or sensitive information, including personal information, could disrupt our operations, compromise sensitive information related to our business or personal information processed by us or on our behalf, and expose us to liability, which could harm our reputation and adversely affect our business, financial condition, and results of operations, and as we grow, we may become a more attractive target for cyber attacks.” Cybersecurity Governance Our Board oversees our risk management efforts and has created a dedicated cybersecurity committee to specifically oversee our cybersecurity risk policies, plans, and programs. The cybersecurity committee typically meets at least quarterly and at each regular meeting, management, including from our Chief Information Security Officer (CISO), provides an update to the committee regarding our cybersecurity risk management program, including with respect to plan design, recent cybersecurity incidents (if any), and general cybersecurity developments. Our management team, including our CISO, is responsible for assessing and managing our risks from cybersecurity threats under the cybersecurity committee’s oversight. Our current CISO has nearly 20 years of cybersecurity experience in both the public and private sectors. His senior public sector roles include Senior Policy Advisor and the Director of Stakeholder Engagement in the Office of the National Cyber Director, Chief of Cyber Threat Analysis at the Cybersecurity and Infrastructure Security Agency (CISA), CISO of the Pandemic Response Accountability Committee, and Deputy CISO of the Pension Benefit Guaranty Corporation. Our CISO leads an internal cybersecurity team comprised of individuals with varying experience and skillsets. This team covers a variety of cybersecurity-related functions, including security operations, strategy and governance risk and compliance, program management, security architecture and engineering, vulnerability management, and product security. We also have a dedicated security operations center that is responsible for detection and monitoring of cybersecurity incidents. Our CISO takes steps to stay informed about and monitor the identification, prevention, detection, protection, mitigation, and remediation of key cybersecurity risks and incidents through various means. In the case of a security event, the security incident response plan is activated to respond to the security event. We also assess and manage our cyber risks through our internal Information Security and Privacy Governance Committee, which is composed of a cross-organizational leadership team and was formed to oversee the management, operation, and overall effectiveness of the information security management system.

Company Information