WM TECHNOLOGY, INC. 10-K Cybersecurity GRC - 2024-05-24

Page last updated on July 16, 2024

WM TECHNOLOGY, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-24 17:12:20 EDT.

Filings

10-K filed on 2024-05-24

WM TECHNOLOGY, INC. filed a 10-K at 2024-05-24 17:12:20 EDT
Accession Number: 0001779474-24-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, or otherwise material to our business, including customer and client Personally Identifiable Information (“Information Systems and Data”). Our security team, managed by our Chief Technology Officer (“CTO”) and Senior Director, Information Security, helps identify, assess and manage our cybersecurity threats and risks, including through the use of our cybersecurity risk acceptance register. Our security team identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example: manual and automated tools; conducting vulnerability scans; penetration tests conducted internally and by third parties; leveraging threat intelligence feeds; reports and services that identify cybersecurity threats; and working with third parties who conduct threat assessments of our platform and APIs. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident detection and response plans; vulnerability management plan; disaster recovery and business continuity plans; segregating and encrypting certain of our data; maintaining network security and access controls; asset management, tracking, and disposal; monitoring certain of our systems and network; penetration testing and tabletop exercises; cybersecurity insurance; having dedicated cybersecurity staff; and training our employees about certain cybersecurity risks and threats. Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of our enterprise risk management program and identified in our risk register; (2) the security team works with certain members of our senior management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business; (3) our senior management evaluates material risks from cybersecurity threats against our overall business objectives and provides periodic reports to the technology and audit committees of our board of directors, which evaluate our overall enterprise risk. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example penetration testing firms, threat intelligence service providers, cybersecurity software providers, and professional services firms, including legal counsel. We use third-party service providers to perform a variety of functions throughout our business, such as cloud data hosting services. We have a vendor management program designed to manage cybersecurity risks associated with our use of these providers, which may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider. The program includes contractually obligating certain third-party service providers with access to Information Systems and Data to implement and maintain cybersecurity practices consistent with applicable legal requirements. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including (i) Real or perceived errors, failures, or bugs in our platform could adversely affect our operating results and growth prospects, (ii) Any security incident, including a distributed denial of service attack, ransomware attack, security breach or unauthorized data access could impair or incapacitate our information technology systems and delay or interrupt service to our clients and consumers, harm our reputation, or subject us to significant liability, and (iii) We are subject to industry standards, governmental laws, regulations and other legal obligations, particularly related to privacy, data protection and information security, and any actual or perceived failure to comply with such obligations could harm our business. Governance Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee and technology committee of our board of directors are responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of management, including our Chief Technology Officer (CTO) and our Senior Director, Information Security. Our CTO has over 15 years of experience in engineering and development, including in leadership roles. Our Senior Director, Information Security has over 20 years of experience in information security, including similar roles leading Information Security teams at Ticketmaster, Sony Pictures, and Warner Bros. Our CTO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, and approving budgets. Our Senior Director, Information Security manages preparing for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response and vulnerability management plans are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our CTO, General Counsel and CEO. Our CTO, General Counsel and CEO work with our incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response and vulnerability management plans include reporting to the Audit Committee (who may consult with our technology committee) for certain cybersecurity incidents. Our technology committee receives periodic reports from the CTO concerning our significant cybersecurity threats and risk and the processes we have implemented to address them. Our board of directors, our Audit Committee and our technology committees also have access to certain reports or presentations related to cybersecurity threats, risk and mitigation.

Company Information