23andMe Holding Co. 10-K Cybersecurity GRC - 2024-05-30

Page last updated on July 16, 2024

23andMe Holding Co. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-30 16:06:42 EDT.

Filings

10-K filed on 2024-05-30

23andMe Holding Co. filed a 10-K at 2024-05-30 16:06:42 EDT
Accession Number: 0001804591-24-000038

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program is integrated into our broader Information Security Management System (“ISMS”), which is designed to identify, assess, prioritize, and mitigate risks across the organization and to enhance our resilience and support the achievement of our strategic security objectives. Our cybersecurity risk management program includes a cybersecurity incident response plan. The audit committee of our board of directors oversees enterprise risk management as an integral and continuous part of its oversight role. Integrated into our overall enterprise risk management framework are processes dedicated to the identification, assessment and management of material risks from cybersecurity threats. Our approach to cybersecurity risk management is both proactive and defensive, and includes the following elements: - a team dedicated solely to cybersecurity and managed by our interim chief security officer (“CSO”), who reports directly to our Chief Product Officer. The interim CSO and his team are responsible for leading enterprise-wide cybersecurity strategy, policies, standards, architecture and processes. Our interim CSO has over 25 years of information technology (“IT”) and cybersecurity, including the cybersecurity architecture at 23andMe, principle cybersecurity engineering at CA Technologies, and corporate IT management, with nearly seven years in security at 23andMe. He holds industry-recognized certifications in CCSK, CCFE, and ITIL v3. - an information technology vulnerability assessment process that includes internal testing, as well as engages with outside security researchers, for identification, evaluation and management of cybersecurity risks. For example, we conduct tests to identify potential vulnerabilities, such as penetration tests, manage a bug bounty program, conduct table top and red team/purple team exercises to evaluate the effectiveness of our ISMS and cybersecurity practices. - a Security Incident Response plan pursuant to which our interim CSO and his team are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents in accordance with our defined Privacy and Security Incident Response plan, which is reviewed along with other plans relevant to our cybersecurity risk management on an annual basis. - an information technology request review process that includes cybersecurity assessments of third-party products and systems proposed to connect to our information systems environment or access our data. - a training program pursuant to which we provide staff with timely relevant security topics, which include social engineering, phishing, password protection, protecting personal data, appropriate use of assets, and - an annual certifications program by an accredited third-party auditor for compliance with ISO/IEC 27001:2013 for an ISMS, ISO/IEC 27701:2019 for a PIMS as well as the requirements and control implementation guidance within ISO/IEC 27018:2019 for cloud computing. Cybersecurity Team and Strategy - The cybersecurity team, led by the interim CSO, is responsible for managing the day-to-day cybersecurity strategy of the organization. Including oversight of our cybersecurity tools and controls to protect company assets. We have implemented an iterative and multi-layered cybersecurity strategy that incorporates both proactive review of the evolving cybersecurity threat landscape and reactive management of cybersecurity threats. Our proactive management of cybersecurity risks includes zero trust access, data loss prevention programs, correction of potential cybersecurity risks, and programs for employee education regarding cybersecurity risks. Our reactive management of cybersecurity risks includes continuous logging and alerting, utilization of enterprise cybersecurity technology, and personnel dedicated to incident response. Third-Party and Vendor Management Review Processes - We have implemented processes that establish a systematic approach to assessing the cybersecurity controls while on-boarding new third-party vendors. Additionally, we have implemented annual reviews of the cybersecurity controls for third-party vendors that provide essential services and/or store data that presents a business risk to us and/or our customers. Cybersecurity Incident Response Plan - In October 2023, we experienced a cybersecurity incident in which certain information of our users was accessed and downloaded from individual 23andMe.com accounts without the account users’ authorization. Following this incident, we implemented certain changes to our information systems and processes meant to provide additional protections to our environment, including enhancements to our Security Operations, reset customer passwords, required two-factor verification for new and existing customers, detection tools and capabilities, and implementation of new tools and processes, among others. However, we continue to face a heightened risk of cybersecurity threats which may materially impact our operations. For more information about our cybersecurity related risks, see “We have experienced a criminal cyber incident and could in the future experience other security breaches, disruption to our business, or reputational harm” in Part 1, Item 1A, Risk Factors of this Form 10-K. Governance Board Oversight - Our board of directors has identified the oversight of cybersecurity risks to be one of its priorities, and it receives regular reports from management, including the interim CSO, on various cybersecurity matters, including the security of the company’s information systems, anticipated sources of future material cyber risks and how management is addressing any significant potential vulnerability. The board’s audit committee reviews our cybersecurity program at least annually and receives regular updates on cybersecurity threats and other matters. In addition to regular updates to the audit committee, we have protocols by which we escalate certain cybersecurity incidents and, where appropriate, report on them in a timely manner to the board and the audit committee. Management Oversight - We have implemented a cross functional ISMS governance committee that drives awareness and alignment across broad governance and stakeholder groups for effective cybersecurity risk management. The interim CSO and interim Data Privacy Officer (“DPO”) co-chair the ISMS Governance Committee. The ISMS Governance Committee acts in alignment with the Data Protection Governance Committee, another cross-functional governance committee, which provides strategic direction and oversight over the company’s program related to data protection. These governance committees have responsibility for oversight, resource allocation, capabilities and planning. Members of the ISMS committee review newly identified cybersecurity risks, evaluate the appropriate treatments, monitor the on-going status of risk remediation. The interim CSO and DPO regularly report to the audit committee on these matters.

Company Information