CHARTER OF THE RISK COMMITTEE
OF THE BOARD OF DIRECTORS
As adopted on December 11, 2017
The purpose of the Risk Committee (the “Committee”) is to assist the Board of Directors (the “Board”) of Proofpoint, Inc. (the “Company”) in fulfilling its oversight responsibilities with respect to management’s identification and evaluation of the Company’s cybersecurity and other principal operational and business risks, as well as the Company’s risk management framework and its guidelines, policies and processes for monitoring and mitigating these risks.
This charter (the “Charter”) sets forth the authority and responsibility of the Committee in fulfilling its purpose. While the Committee has the responsibilities set forth in this Charter, risk assessment and risk management are the responsibility of the Company’s management. The Committee’s responsibilities with respect to risk assessment and risk management are to provide oversight and to engage management and the Board with respect to the Company’s cybersecurity and other principal operational and business risks. Additionally, the Committee’s role shall be advisory to the Board with respect to these matters, and the Board does not delegate any power or authority of the Board to the Committee with respect to these matters. The Board also retains oversight responsibility over the Company’s key strategic and reputational risks, and oversight responsibility for certain other risks have been assigned to the Audit Committee, the Compensation Committee and Nominating and Corporate Governance Committee as set forth in their respective charters.
The Committee will consist of two or more members of the Board, with the exact number being determined from time to time by the Board. Each member of the Committee will:
• be an “independent director” as defined in the applicable rules and regulations of The Nasdaq Stock Market, as amended from time to time (the “Exchange Rules”), except as may otherwise be permitted by such Exchange Rules;
• be free from any relationship that, in the opinion of the Board, would interfere with the exercise of independent judgment as a Committee member; and
• meet any other requirements imposed by applicable law, regulations or rules, subject to any applicable exemptions.
All members of the Committee will be appointed by, and will serve at the discretion of, the Board. The Board may appoint a member of the Committee to serve as the chairperson of the Committee (the “Chair”); if the Board does not appoint a Chair, the Committee members may designate a Chair by their majority vote. The Chair will set the agenda for Committee meetings and conduct the proceedings of those meetings.
The principal responsibilities and duties of the Committee in serving the purpose outlined in Section I of this Charter are set forth below. These duties are set forth as a guide, with the understanding that the Committee will carry them out in a manner that is appropriate given the Company’s needs and circumstances. The Committee may supplement them as appropriate and may establish policies and procedures from time to time that it deems necessary or advisable in fulfilling its responsibilities. The Committee will:
1. Review or discuss, as and when appropriate, with management the Company’s risk governance framework.
2. Oversee the Company’s risk management policies and procedures dealing with risk identification and risk assessment regarding the cybersecurity and other principal operational and business risks facing the Company, whether internal or external in nature; and review and approve material changes to such policies.
3. Periodically, but at least four times per year, review cybersecurity and other major risk exposures of the Company, the steps management has taken to monitor and control such exposures, and the Company’s compliance with applicable information security and data protection laws and industry standards.
4. Provide oversight of the Company’s crisis management framework, including the Company’s incident response plans.
5. Review or discuss any comments or recommendations of outside experts with regard to cybersecurity and other major risk exposures, and, if appropriate, approve a schedule for implementing any recommended changes and monitor compliance with such schedule.
6. Make such reports and recommendations to the Board and its committees as the Committee may consider necessary or appropriate and consistent with its purpose, and take such other actions and perform such other services as may be referred to it from time to time by the Board or required under the federal securities laws, the rules and regulations promulgated by the Securities and Exchange Commission under the Securities Exchange Act of 1934, as amended (the “Commission Rules”) and the Exchange Rules.
The Committee, in discharging its responsibilities, may conduct or authorize studies of, or investigations into, any matter that the Committee deems appropriate, with full access to all books, records, facilities and personnel of the Company. The Committee has the sole authority and right, at the expense of the Company, to retain experts and advisers of its choice to assist the Committee in connection with its functions, including any studies or assessments.
Meetings of the Committee will be held from time to time, as determined appropriate by the Committee at least four time per year. The Chair, in consultation with the other member(s) of the Committee, will set the dates, times and places of such meetings. The Chair or any other member of the Committee may call meetings of the Committee by notice in accordance with the Company’s Bylaws. The Committee may also act by unanimous written consent in lieu of a meeting in accordance with the Company’s Bylaws. Subject to the requirements of this Charter, applicable law, the Exchange Rules and the Commission Rules, the Committee and the Chair may invite any director, executive or employee of the Company, or such other person, as it deems appropriate in order to carry out its responsibilities, to attend and participate (in a non-voting capacity) in all or a portion of any Committee meeting. The Committee may exclude from all or a portion of its meetings any person it deems appropriate in order to carry out its responsibilities. The Chair will designate a secretary for each meeting, who need not be a member of the Committee. The Secretary of the Company will provide the Committee such staff support as it may require.
The Committee will maintain written minutes of its meetings, and copies of its actions by written consent, and will cause such minutes and copies of written consents to be filed with the minutes of the meetings of the Board. The Chair will report to the Board from time to time with respect to the activities of the Committee, including on significant matters related to the Committee’s responsibilities and the Committee’s deliberations and actions. The minutes of the Committee and actions by written consent will be made available to the other members of the Board.
The Committee may from time to time, as it deems appropriate and to the extent permitted under applicable law, the Exchange Rules and the Commission Rules, and the Company’s Certificate of Incorporation and Bylaws, form and delegate authority to subcommittees.
The Committee will evaluate the Committee’s composition and performance on an annual basis and submit a report to the Board. The Committee will also review and reassess the adequacy of this Charter periodically, and recommend to the Board any changes the Committee determines are appropriate.
Michael Johnson has served as a director since July 2017. Mr. Johnson currently serves as senior vice president and chief information security officer of Capital One Financial Corporation, where he leads and manages cyber, cyber risk management, information security, cybersecurity operations, and security technology innovation. Prior to joining Capital One in March 2017, Mr. Johnson served as chief information officer for the U.S. Department of Energy. Previously Mr. Johnson served in key cyber-focused executive roles in the U.S. Government at the Office of the Director of National Intelligence, the Department of Homeland Security, and the White House Executive Office of the President. Mr. Johnson holds a B.S. in Computer Engineering and an M.S. in Computer Science from the University of California, San Diego. The board of directors determined that Mr. Johnson should serve as a director based on his extensive experience in cyber security, cyber risk management, and security technology innovation as well as his leadership roles with the United States government.