|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.
Our cybersecurity risk management program is centered on management of risks related to our network, product and cloud security, including security measures and controls designed to identify, protect, detect, respond to, and recover from cybersecurity risks. We use the NIST Cybersecurity Framework (NIST CSF) as a guide. This does not imply that we meet any particular technical standards, specifications, or requirements of NIST CSF, only that we use the NIST CSF as a framework to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is integrated into our overall risk management process and shares common methodologies, reporting channels and governance processes that apply across the risk management process to other risk areas, such as compliance and business continuity risks.
Key aspects of our cybersecurity risk management program include:
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Item 3.D. Risk Factors— If our IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially adversely affected,” “—We increasingly rely on third-party providers of cloud infrastructure services to deliver our SaaS solutions to customers, and any disruption of or interference with our use of these services, including any specifications limitations, could adversely affect our business” and “—Real or perceived security vulnerabilities and gaps in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, may result in significant reputational, financial, and legal adverse impact.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Item 3.D. Risk Factors— If our IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially adversely affected,” “—We increasingly rely on third-party providers of cloud infrastructure services to deliver our SaaS solutions to customers, and any disruption of or interference with our use of these services, including any specifications limitations, could adversely affect our business” and “—Real or perceived security vulnerabilities and gaps in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, may result in significant reputational, financial, and legal adverse impact.”
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance
Our Board of directors considers cybersecurity risk as a critical part of its risk oversight function and has delegated to our audit committee oversight of cybersecurity and other information technology risks. Our audit committee oversees management’s implementation of our cybersecurity risk management program, including product and information security.
Our audit committee receives periodic updates of our cybersecurity risks and controls from our management members, including the CIO, who is currently acting as CISO, and along with our Senior Vice President of R&D, as relevant. In addition, the CIO along with other relevant managers, update the audit committee, as necessary, regarding cybersecurity incidents they consider significant. Our audit committee also monitors our annual mitigation plan, which includes the results of our annual cybersecurity risk assessment on our information technology. Our audit committee reports to the full Board of directors regarding its activities, including our cyber risk management program.
In addition, we have two steering committees, each assigned with overseeing and managing different aspects of cybersecurity risks: the Information Security Steering Committee (ISSC) and a Service and Product Security Steering Committee (SPSSC). The ISSC is comprised of our CEO, CIO, Chief Product Officer (CPO), and Chief Legal Officer, as well as leaders from our Information Security, R&D and Security Services teams and typically meets monthly to discuss key security matters, mitigation plans and progress. The SPSSC includes our CPO, Senior Vice President of R&D, Senior Vice President of Product Management, CISO, Managing Counsel and other service and product security leaders in our Information Security, Product Management and R&D departments.
On the management team, our CIO has overall responsibility for assessing and managing our material risks from cybersecurity threats, and is assisted in this regard by the information and product security teams. As applicable, the teams will also involve our CPO for assessing and managing the relevant risks. Our CIO has extensive experience in cyber risk management. Prior to joining CyberArk, our CIO served as Head of the Cyber Defense Operations Center of the IDF and Head of the Center for Computing and Information Systems of the IDF. He holds a Bachelor of Science degree in physics and electrical engineering from Tel Aviv University and a Master of Science in Government Information Leadership from the National Defense University, College of Information and Cyberspace in Washington, D.C. Our CPO has an extensive experience in Fraud Detection. Prior to joining CyberArk, our CPO served as Head of Global Data Science and Engineering at PayPal. He holds a Bachelor of Science Degree in Computer Science and a Master in Business Management.
Our CIO takes steps to stay informed about and monitor the identification, prevention, detection, protection, mitigation, and remediation of key cybersecurity risks and incidents through various means, which may include briefings with the internal cybersecurity team members and external consultants, threat intelligence and other information obtained from governmental, public or private sources, and alerts and reports that are generated by security tools deployed in the information systems’ environments.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of directors considers cybersecurity risk as a critical part of its risk oversight function and has delegated to our audit committee oversight of cybersecurity and other information technology risks. Our audit committee oversees management’s implementation of our cybersecurity risk management program, including product and information security.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our audit committee receives periodic updates of our cybersecurity risks and controls from our management members, including the CIO, who is currently acting as CISO, and along with our Senior Vice President of R&D, as relevant. In addition, the CIO along with other relevant managers, update the audit committee, as necessary, regarding cybersecurity incidents they consider significant. Our audit committee also monitors our annual mitigation plan, which includes the results of our annual cybersecurity risk assessment on our information technology. Our audit committee reports to the full Board of directors regarding its activities, including our cyber risk management program.
|Cybersecurity Risk Role of Management [Text Block]
|
On the management team, our CIO has overall responsibility for assessing and managing our material risks from cybersecurity threats, and is assisted in this regard by the information and product security teams. As applicable, the teams will also involve our CPO for assessing and managing the relevant risks. Our CIO has extensive experience in cyber risk management. Prior to joining CyberArk, our CIO served as Head of the Cyber Defense Operations Center of the IDF and Head of the Center for Computing and Information Systems of the IDF. He holds a Bachelor of Science degree in physics and electrical engineering from Tel Aviv University and a Master of Science in Government Information Leadership from the National Defense University, College of Information and Cyberspace in Washington, D.C. Our CPO has an extensive experience in Fraud Detection. Prior to joining CyberArk, our CPO served as Head of Global Data Science and Engineering at PayPal. He holds a Bachelor of Science Degree in Computer Science and a Master in Business Management.
Our CIO takes steps to stay informed about and monitor the identification, prevention, detection, protection, mitigation, and remediation of key cybersecurity risks and incidents through various means, which may include briefings with the internal cybersecurity team members and external consultants, threat intelligence and other information obtained from governmental, public or private sources, and alerts and reports that are generated by security tools deployed in the information systems’ environments.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|On the management team, our CIO has overall responsibility for assessing and managing our material risks from cybersecurity threats, and is assisted in this regard by the information and product security teams
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CIO has extensive experience in cyber risk management. Prior to joining CyberArk, our CIO served as Head of the Cyber Defense Operations Center of the IDF and Head of the Center for Computing and Information Systems of the IDF. He holds a Bachelor of Science degree in physics and electrical engineering from Tel Aviv University and a Master of Science in Government Information Leadership from the National Defense University, College of Information and Cyberspace in Washington, D.C. Our CPO has an extensive experience in Fraud Detection. Prior to joining CyberArk, our CPO served as Head of Global Data Science and Engineering at PayPal. He holds a Bachelor of Science Degree in Computer Science and a Master in Business Management.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our CIO takes steps to stay informed about and monitor the identification, prevention, detection, protection, mitigation, and remediation of key cybersecurity risks and incidents through various means, which may include briefings with the internal cybersecurity team members and external consultants, threat intelligence and other information obtained from governmental, public or private sources, and alerts and reports that are generated by security tools deployed in the information systems’ environments.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef