Affirm Holdings, Inc. 10-K Cybersecurity GRC - 2024-08-28

Page last updated on August 28, 2024

Affirm Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-28 17:06:35 EDT.

Company Summary

Affirm is a financial technology services company that offers installment loans to consumers at the point of sale.

Filings

10-K filed on 2024-08-28

Affirm Holdings, Inc. filed a 10-K at 2024-08-28 17:06:35 EDT
Accession Number: 0001820953-24-000035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have established a cybersecurity program, informed by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), that is designed to safeguard our information systems against cybersecurity threats. This program incorporates a variety of processes and cybersecurity tools designed to assess, identify and manage material risks from cybersecurity threats. Those processes include automated and manual testing of our systems for vulnerabilities as well as monitoring and responding to suspicious activity. We use established cybersecurity risk frameworks to identify, measure and prioritize cybersecurity risks and develop corresponding cybersecurity controls and safeguards, and we have implemented a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents. Leveraging both internal and external resources, we conduct regular reviews and tests, including penetration testing as well as tabletop and red team exercises, to evaluate the effectiveness of our cybersecurity program, enhance our cybersecurity measures, and inform our planning. We periodically engage external auditors and consultants to assess our cybersecurity programs. We also maintain a risk-based approach to identifying and overseeing risks from cybersecurity threats associated with our use of third-party service providers. In addition, we require Affirm employees to participate in cybersecurity awareness training. These training sessions are designed to enhance our employees’ awareness of cybersecurity threats and provide information about best practices to protect Affirm’s information systems. We require additional tailored cybersecurity training for certain employees based on their specific job responsibilities. Our cybersecurity program is integrated with our overall risk management program through our Chief Information Security Officer’s (“CISO”) participation in governance structures such as the Risk Management Committee and Technology and Operational Risk Committee, and the incorporation of cybersecurity into the Company’s overall compliance and enterprise risk management programs. As of the date of this Report, our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. Cybersecurity Governance Our Board of Directors has delegated authority to its Audit Committee to oversee risks associated with cybersecurity threats. Members of the Audit Committee receive updates periodically from our CISO regarding cybersecurity risks. These updates include, among other topics, reviews of existing and newly identified cybersecurity risks, status updates on how management is addressing and/or mitigating those risks, information about cybersecurity incidents (if any), as well as updates regarding the status of key cybersecurity initiatives. Our CISO is principally responsible for assessing and managing our cybersecurity risk management program, in partnership with leaders from our Technology, Information Security, Internal Audit, Legal and Compliance teams. Such individuals have an average of over 20 years of prior work experience in various roles involving technology, information security, auditing and compliance. These individuals, including the CISO, are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, our CISO then makes periodic reports to the Audit Committee regarding such matters.

Company Information