Cybersecurity & Data Responsibility Committee
CYBERSECURITY & DATA RESPONSIBILITY COMMITTEE CHARTER
(March 10, 2022)
The purpose of the Cybersecurity & Data Responsibility Committee (the “Committee”) of the Board of Directors (the “Board”) of Splunk Inc., a Delaware corporation (the “ Company”), shall be to oversee and make recommendations to the Board, as necessary, on matters concerning the Company’s cybersecurity and data responsibility objectives, strategies, capabilities, initiatives, and risk assessment and mitigation protocols.
In furtherance of these purposes, the Committee will undertake those specific duties and responsibilities listed below and such other duties as the Board may from time to time prescribe. In the course of its duties, the Committee shall have authority, at the Company’s expense, to investigate any matter brought to its attention and be given full access to the Chair of the Board, management, the independent auditors and other advisors, as well as the Company’s books, records, facilities and other personnel.
The Committee’s responsibility is one of oversight. The members of the Committee are not employees of the Company, and they do not perform, or represent that they perform, the functions of management with respect to cybersecurity and data responsibility. The Committee relies on the expertise and knowledge of management in carrying out its oversight responsibilities.
The Committee members shall be appointed by, and shall serve at the discretion of, the Board. The Committee shall consist of no fewer than three members of the Board. The Board may designate one member of the Committee as its chair. The Committee may form and delegate authority to subcommittees when appropriate.
RESPONSIBILITIES AND DUTIES
The responsibilities and duties of the Committee shall include:
- Cybersecurity. Overseeing, and reviewing with management, the Company’s overall assessment of cybersecurity threats and risks, and the overall quality and effectiveness of the Company’s security controls, including its policies and procedures, to identify, assess, and mitigate such threats and risks.
- Data Responsibility. Overseeing, and reviewing with management, the Company’s overall data responsibility strategy and program, including its approach to ensuring compliance with applicable privacy laws and regulations, customer commitments, and industry standard practices, in each case involving the collection, use, sharing, storage and retention of data.
- Incidents. Reviewing with management the Company’s controls, policies and guidelines to help prevent, detect, and respond to cyber attacks, data breaches, and unplanned outages, and any material incidents related thereto, in each case affecting or involving the Company’s products, services, and business operations.
- Business Continuity Planning & Disaster Recovery for Cyber Events. Reviewing with management the Company’s business continuity planning and disaster recovery protocols for cyber events, including escalation procedures, communication plans, and business resiliency capabilities, and their alignment with Company’s enterprise risk management program.
- Disclosures. Periodically reviewing or discussing with the Company’s management the adequacy and effectiveness of the Company’s processes and controls for making required or voluntary disclosures, in each case relating to cybersecurity and data responsibility matters
- Insurance. Annually reviewing the appropriateness and adequacy of the Company’s cybersecurity insurance coverage.
- Enterprise Risk Management Integration. Ensuring that the Committee has appropriate access to and, with respect to cybersecurity and data responsibility matters, visibility into the Company’s enterprise risk management framework and personnel, including through periodic engagements with the Audit Committee or the Company’s management, as determined by the Committee.
- Other. Perform such other functions as the Committee, in its discretion, determines necessary or appropriate to fulfill the foregoing oversight responsibilities.
In performing its duties, the Committee shall have the authority, at the Company’s expense, to retain, hire, and obtain advice, reports or opinions from internal or external legal counsel and expert advisors.
The Committee will meet as often as may be deemed necessary or appropriate, in its judgment, in order to fulfill its responsibilities. The Committee may meet either in person, virtually or telephonically, and at such times and places as the Committee determines. The Committee may establish its own meeting schedule, which it shall provide to the Board. The Committee may invite to its meetings other Board members, Company management and such other persons as the Committee deems appropriate in order to carry out its responsibilities.
The Committee will maintain written minutes of its meetings, which will be filed with the minutes of the meetings of the Board.
The Committee shall make regular reports to the full Board on the actions and recommendations of the Committee.
Members of the Committee shall receive such fees, if any, for their service as Committee members as may be determined by the Board in its sole discretion.
- Financial Expert
- Independent Director