|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas:
Governance: As discussed in more detail above under the heading, “Governance,” our board of directors’ oversight of cybersecurity risk management is supported by the Cybersecurity Committee, which regularly interacts with executives with responsibility for cybersecurity, our Chief Executive Officer, Chief Technology Officer and President, Chief Financial Officer, Chief Operating Officer/General Counsel, our CISO, and other members of management. Our CISO is primarily responsible for our cybersecurity risk management program and partners with our legal team on data privacy matters at the management level. Our CISO, Dr. Carl Windsor, has over 25 years of experience in various technology and cybersecurity leadership positions, including over 18 years at our company driving product security and strategy and reports to the board Cybersecurity Committee. The CISO’s leadership team members are all seasoned information security professionals, covering a wide range of security disciplines, who have worked at some of the largest well-known brand names and are experts in their fields. Our CISO monitors, and participates in, our various cybersecurity policies and procedures, and our cybersecurity team regularly updates our CISO on the current status.
Management is promptly updated regarding any significant security events and the Cybersecurity Committee regularly reviews updates from our CISO, information security and product security leaders about cyber threat response preparedness, security controls and procedures, security program maturity milestones, risk and approaches to risk mitigation and the current and emerging threat landscape. In addition, all members of our board of directors receive management’s cybersecurity updates to the Cybersecurity Committee as part of their regular attendance at meetings of our board of directors.
Collaborative Approach: We have implemented a broad, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. In addition, we manage a cross-functional program across our engineering, manufacturing and technical services teams, together with our suppliers and channel partners, designed to ensure the proper security of our products from design through manufacture and shipment.
Information Security: We implement organizational, administrative and technical measures based on commercially reasonable procedures using: (i) industry standard information security measures prescribed for use by NIST; (ii) security measures aligned with the ISO/IEC 27000 series of standards, (iii) Sarbanes-Oxley and SSAE 18/ISAE 3402; (iv) privacy regulations such as the GDPR and the CCPA; (v) business continuity management measures aligned with the ISO/IEC 22301 standard; and (vi) other generally recognized industry standards, in each case, designed to safeguard the confidentiality, integrity, and availability of our infrastructure and data and the resiliency of our operations.
Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
Incident Response and Recovery Planning: We have established and maintain broad incident response and recovery plans that help enable its effective and orderly management of, and response to, any identified security incidents, including escalation and internal and external-notification steps, allowing the incident response team to respond in a timely manner and enlist appropriate personnel and third-party experts. We maintain a process to promptly assess and assign severity levels to any identified security incidents in order to prioritize their importance and promptly direct resources to those issues of potentially greater impact. The notification plan establishes steps to alert external stakeholders as appropriate, including law enforcement, regulatory bodies, investors, customers and other business partners.
Third-Party Risk Management: We maintain a broad, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. In addition, our Trusted Supplier Program is designed to ensure manufacturing partners undergo a selection and qualification process that adheres to NIST 800-161.
Education and Awareness: We provide regular, mandatory training for personnel and contractors regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats and to communicate our evolving information security policies, standards, processes and practices.
Risk and Readiness Assessments: We engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to identify vulnerabilities and weaknesses, address cybersecurity threats and test its readiness to respond to cyber security incidents. These efforts include a wide range of activities, including threat modeling, a variety of vulnerability and configuration scans, penetration testing, audits, tabletop exercises and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness and penetration tests. The results of such assessments, audits and reviews are reported to the Cybersecurity Committee and our board of directors and to our management, and we adjust its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.
Insurance: We maintain information security risk insurance coverage.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|In general, we seek to address cybersecurity risks through a broad, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
As a global cybersecurity provider, cybersecurity risk management is integral to our company. Historically, the Audit Committee of our board of directors (the “Audit Committee”) was responsible for reviewing with management our cybersecurity and other information technology risks, controls and processes, including the processes used to prevent or mitigate cybersecurity risks and respond to cybersecurity events. However, due to the importance of cybersecurity to our company, in July 2024, our board of directors formed Cybersecurity Committee of our board of directors (the “Cybersecurity
Committee”), which is solely dedicated to cybersecurity risk management. Our executives with responsibility over cybersecurity, including our Chief Information Security Officer, provide quarterly reports to the Cybersecurity Committee as well as to the Chief Executive Officer and other members of our senior management as appropriate. Each member of our board of directors is invited to attend all meetings of the committees of our board of directors, including the Cybersecurity Committee, and thus all of the members of our board of directors are apprised of cybersecurity developments. The quarterly reports to the Cybersecurity Committee include updates on cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program and the emerging threat landscape. Our cybersecurity program is regularly evaluated by internal and external experts with the results of those reviews reported to senior management and the Cybersecurity Committee. We also actively engage with key vendors and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. The Cybersecurity Committee also receives prompt and timely information regarding any cybersecurity threat or incident that meets established reporting thresholds, as well as ongoing updates regarding any such threat or incident until it has been mitigated, resolved or otherwise addressed.
We believe our systems and processes with respect to the management of risks associated with cybersecurity threats are adequate. We have experienced, and may in the future experience, adverse impacts to our operations as a result of cybersecurity incidents. However, to date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business strategy, operating results, and/or financial condition. If we were to experience a material cybersecurity incident in the future, such incident may have a material effect, including on our business strategy, operating results or financial condition. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see our risk factors, including our risk factor titled “If our internal enterprise IT networks, on which we conduct internal business and interface externally, our operational networks, through which we connect to customers, vendors and partners systems and provide services, or our research and development networks, our back-end labs and cloud stacks hosted in our data centers or PoPs, colocation vendors or public cloud providers, through which we research, develop and host products and services, are compromised, public perception of our products and services may be harmed, our customers may be breached and harmed, we may become subject to liability, and our business, operating results and stock price may be adversely impacted.”
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|due to the importance of cybersecurity to our company, in July 2024, our board of directors formed Cybersecurity Committee of our board of directors (the “Cybersecurity Committee”), which is solely dedicated to cybersecurity risk management.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Management is promptly updated regarding any significant security events and the Cybersecurity Committee regularly reviews updates from our CISO, information security and product security leaders about cyber threat response preparedness, security controls and procedures, security program maturity milestones, risk and approaches to risk mitigation and the current and emerging threat landscape. In addition, all members of our board of directors receive management’s cybersecurity updates to the Cybersecurity Committee as part of their regular attendance at meetings of our board of directors.
|Cybersecurity Risk Role of Management [Text Block]
|We engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to identify vulnerabilities and weaknesses, address cybersecurity threats and test its readiness to respond to cyber security incidents. These efforts include a wide range of activities, including threat modeling, a variety of vulnerability and configuration scans, penetration testing, audits, tabletop exercises and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness and penetration tests. The results of such assessments, audits and reviews are reported to the Cybersecurity Committee and our board of directors and to our management, and we adjust its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|in July 2024, our board of directors formed Cybersecurity Committee of our board of directors (the “Cybersecurity Committee”), which is solely dedicated to cybersecurity risk management.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO, Dr. Carl Windsor, has over 25 years of experience in various technology and cybersecurity leadership positions, including over 18 years at our company driving product security and strategy and reports to the board Cybersecurity Committee. The CISO’s leadership team members are all seasoned information security professionals, covering a wide range of security disciplines, who have worked at some of the largest well-known brand names and are experts in their fields.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our executives with responsibility over cybersecurity, including our Chief Information Security Officer, provide quarterly reports to the Cybersecurity Committee as well as to the Chief Executive Officer and other members of our senior management as appropriate. Each member of our board of directors is invited to attend all meetings of the committees of our board of directors, including the Cybersecurity Committee, and thus all of the members of our board of directors are apprised of cybersecurity developments. The quarterly reports to the Cybersecurity Committee include updates on cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program and the emerging threat landscape.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef