Sonder Holdings Inc. 10-K Cybersecurity GRC - 2024-09-26

Page last updated on September 27, 2024

Sonder Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-26 20:19:31 EDT.

Filings

10-K filed on 2024-09-26

Sonder Holdings Inc. filed a 10-K at 2024-09-26 20:19:31 EDT
Accession Number: 0001819395-24-000075

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our business involves the collection, storage, transmission, and other processing of confidential and sensitive data, including information about our guests and employees, and our operations depend on various information technology systems, communications networks, and technology applications, including those of third parties such as software-as-a-service providers. Accordingly, we face cybersecurity threats on an ongoing basis. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, financial condition, and cash flows, please refer to Item 1A. Risk Factors, above, in this report. We have implemented, and are continuing to develop, various information security processes and measures designed to identify, assess and manage material risks from cybersecurity threats. Depending on the context, our technical and operational measures include vulnerability and risk assessments, network security and access controls, encryption of relevant data, systems monitoring, and employee training. Our Information Security team refers to the National Institute of Standards and Technology cybersecurity framework, among other industry reference sources, as a general guide in implementing security measures and addressing cybersecurity risks. Our senior management team considers cybersecurity risks among our other important enterprise-wide risks, on an ongoing basis. We work with third parties from time to time to assist us in our cybersecurity efforts, including technology consulting firms and legal advisors, and on a periodic basis, an external vulnerability testing vendor with respect to certain Payment Card Industry Data Security Standard (PCI DSS) requirements. Depending on the nature of the services provided, the information involved, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider. We also participate in a “bug bounty” program that provides incentives for third-party researchers to identify possible system vulnerabilities. We also maintain cybersecurity insurance coverage. Our insurance coverage may not cover or fully insure all cybersecurity-related risks that we face, as described in Item 1A. Risk Factors, elsewhere in this report. Governance Our Board of Directors has ultimate oversight responsibility for the Company’s strategy and risk management, including material risks related to cybersecurity threats. The Board administers its risk oversight function directly and through the Board’s Audit Committee. Our executive officers are responsible for the day-to-day management of the material risks we face, including cybersecurity risks. Among other things, management is responsible for hiring appropriate personnel, designing and implementing cybersecurity-related processes, communicating priorities to relevant personnel, and assessing cybersecurity incidents as they arise. Among members of our senior management, cybersecurity matters are overseen by our Senior Vice President, Technology, who reports to our Chief Executive Officer and has more than two decades of experience in product leadership, engineering and data science. Our Senior Manager, IT Compliance and Information Security (“Head of Information Security”) reports to our Senior Vice President, Technology, and leads our cybersecurity risk assessment, management and response processes, including their implementation and maintenance. Before joining Sonder in January 2022, our Head of Information Security had approximately 18 years of additional experience as an information security officer and security consultant. He holds CISSP, CISM, and CDPSE certifications. Our cybersecurity incident response and vulnerability management processes are designed to escalate cybersecurity incidents to members of management, and if applicable, to members of our Board of Directors, depending on the circumstances. Our Head of Information Security also has monthly program updates with our Senior Vice President, Technology and other technology team members to discuss cybersecurity and other technology related initiatives, progress and status. Additional discussions occur in preparation for quarterly Board meetings and on an ad hoc basis. The Board of Directors receives quarterly reports from management, including our Senior Vice President, Technology, concerning significant cybersecurity risks and assessments, and related matters. Management also updates members of our Audit Committee concerning cybersecurity matters from time to time, as circumstances warrant.

Company Information