Sonos Inc 10-K Cybersecurity GRC - 2024-11-15

Page last updated on November 15, 2024

Sonos Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-15 16:49:12 EST.

Filings

10-K filed on 2024-11-15

Sonos Inc filed a 10-K at 2024-11-15 16:49:12 EST
Accession Number: 0001314727-24-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and strategy We have developed and implemented an enterprise-wide cybersecurity program, which is part of our overall risk management system and is designed to provide cybersecurity risk management and governance. Our cybersecurity program prioritizes, among other things, proactive detection and mitigation of threats; protection of customer and internal confidential information; minimization of the impact of incidents; and identification, assessment, and management of material risks from cybersecurity threats. We use a variety of strategies and techniques designed to identify cybersecurity risks and reduce the risk of unauthorized access to internal and customer confidential information and critical business systems and platforms. This approach utilizes both internal and external resources and includes regular risk assessments (for example, penetration testing and annual self-assessments), ongoing employee training, proactive monitoring of our IT systems, encryption of certain types of information, and certain controls governing access to our facilities and systems. We maintain a detailed incident response plan to manage cybersecurity incidents when detected. The response plan includes procedures for identifying, containing, and responding to cybersecurity incidents. Our ability to respond to cybersecurity incidents is tested on a recurring basis. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including professional services firms, cybersecurity software providers, and certain testing firms. 22 Table of conten ts We have processes in place designed to identify and mitigate risks from third-party vendors, including, as appropriate, pre-contractual security assessments and review of contractual terms addressing cybersecurity and data protection. To date, we are not aware of cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Despite our security measures, however, there can be no assurance that we, or third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. For a discussion regarding risks related to cybersecurity threats, refer to Item 1A. “Risk Factors” of this Form 10-K. Cybersecurity governance Our Board of Directors oversees the management of risks inherent in the operation of our business, with a focus on the most significant risks that we face, including those related to cybersecurity. The Board of Directors has delegated oversight of our cybersecurity program to the Audit Committee. In connection with that oversight responsibility, senior members of our information security team meet with the Audit Committee on a regular basis (but no less than semi-annually) and provide information and updates on our cybersecurity program and related topics. This includes existing and new cybersecurity risks, status on how management is identifying, assessing, managing and/or mitigating those risks, cybersecurity and data privacy incidents (if any), status on key information security initiatives, and developments in the cybersecurity space and evolving standards. Our enterprise-wide cybersecurity program is managed by a dedicated information security team, led by our Head of Cybersecurity, Risk & Trust (“Head of Cybersecurity”). Our Head of Cybersecurity has almost 25 years of cybersecurity, information governance, and IT experience in the technology industry.

Company Information