PELOTON INTERACTIVE, INC. 10-K Cybersecurity GRC - 2024-08-22

Page last updated on August 22, 2024

PELOTON INTERACTIVE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-22 17:08:15 EDT.

Filings

10-K filed on 2024-08-22

PELOTON INTERACTIVE, INC. filed a 10-K at 2024-08-22 17:08:15 EDT
Accession Number: 0001639825-24-000128

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management We have developed and implemented a cybersecurity risk management program intended to preserve the confidentiality, integrity and availability of Peloton’s systems and information, including our Members’ data, APIs and web and mobile applications. Our cybersecurity program is guided by industry standards developed by the National Institute of Standards and Technology (“NIST”). We seek to address cybersecurity risks through a comprehensive, cross-functional approach that focuses on protecting the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Our cybersecurity program is also integrated with Peloton’s broader enterprise risk management program, through which we manage business, cybersecurity, information technology, privacy, legal, and geopolitical risks, among others. While no organization can eliminate cybersecurity risk entirely, we believe our cybersecurity program is reasonably designed to mitigate our cybersecurity and information technology risks. Our cybersecurity program is supported by our information security team, which is primarily responsible for identifying, monitoring and preventing cybersecurity threats and our data privacy team, which is primarily responsible for developing, creating, maintaining and enforcing privacy policies, standards and procedures. Our information security team reviews potential identified incidents through various internal and external resources; identifies potential or actual cybersecurity threats; evaluates and prioritizes threats based on severity; investigates and mitigates the cause and impact of such incidents; administers our documented response procedures with respect to any data breach; and implements safeguards to help prevent recurrence. Education, training and preparedness are important elements of our cybersecurity program. Peloton requires new employees to undertake a cybersecurity training and provides regular training updates to other employees. Additional trainings are mandatory for those employees who handle confidential (including personal) information. We perform due diligence regarding our third-party suppliers, service providers and other business partners. This may include requiring evidence demonstrating third parties’ ability to meet our cybersecurity and data handling requirements. In addition, Peloton’s business partners who process data are contractually obligated to notify us if they experience certain incidents impacting our or our Members’ data. Our ability to monitor the cybersecurity practices of third parties is limited and there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in the information systems, software, network or other cybersecurity assets owned or controlled by third parties. We regularly perform internal testing and engage independent third parties to perform audits and assessments as we deem appropriate. For example, our alignment with NIST standards has been reviewed by an industry-leading auditing firm. We also maintain a cyber insurance policy to help manage, in part, costs associated with significant cybersecurity incidents that may occur. We continue to invest in our cybersecurity program and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For a discussion regarding risks from cybersecurity threats, see our risk factors, including the risk factors titled “-Any major disruption or failure of our information technology systems or websites, or our failure to successfully implement upgrades and new technology effectively, could adversely affect our business and operations”, “-Cybersecurity risks could adversely affect our business and disrupt our operations”, “-Our business is subject to the risk of earthquakes, fire, power outages, floods, hurricanes, public health crises, ransomware and other cybersecurity attacks, labor disputes, and other catastrophic events, and to interruption by man-made problems such as terrorism and international geopolitical conflicts”, “-We collect, store, process, and use personal data and other Member data, which subjects us to legal obligations and laws and regulations related to security and privacy, and any actual or perceived failure to meet those obligations could harm our business “, under the heading " Risk Factors-Risks Related to Our Business " in Part I, Item 1A of this Annual Report on Form 10-K. Cybersecurity Governance While everyone at Peloton has a role in managing cybersecurity risks, our Board of Directors and senior management team are actively involved in the oversight of our cybersecurity program. Our Board of Directors and the Audit Committee of our Board of Directors oversee Peloton’s cybersecurity matters through regular reports and reviews, as well as reporting on material cybersecurity incidents. These include presentations by the Company’s Senior Vice President, Chief Security and Trust Officer (“CISO”) to the Audit Committee on a quarterly basis, along with ad hoc reports on cybersecurity incidents, threat detection and mitigation plans to the Audit Committee, our Board of Directors and our executive team. Our CISO leads our information security team and has more than 20 years of cybersecurity experience across four public companies. He is supported by our Vice President of Privacy Compliance, who leads our data privacy team. Our cybersecurity program is supported by other members of our senior management team as well, including our Chief Legal Officer and members of Peloton’s disclosure committee. Members of executive leadership are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management process. The CISO also 38 provides updates to Peloton’s senior management regarding cybersecurity risks, and meets regularly with Peloton’s finance, enterprise technology, disclosure and internal audit teams.

Company Information