PayPal Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-04

Page last updated on February 4, 2025

PayPal Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-04 17:25:36 EST.

Filings

10-K filed on 2025-02-04

PayPal Holdings, Inc. filed a 10-K at 2025-02-04 17:25:36 EST
Accession Number: 0001633917-25-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY CYBERSECURITY RISK MANAGEMENT AND STRATEGY Our Information Security Program is designed to support the Company in identifying, protecting, detecting, responding to, and recovering from cybersecurity threats and incidents (collectively, “cybersecurity risks”) with the intention to protect the confidentiality, integrity, and availability of our critical systems and information. We design and regularly assess our Information Security Program guided by National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and ISO standards (including ISO 27001), proprietary controls and industry best practices. Our Information Security Program is built on a three lines of defense model integrated into our overall Enterprise Risk and Compliance Management Program (“ERCM Program”). It shares common methodologies, reporting channels, and governance processes that apply across the ERCM Program to other legal, compliance, strategic, operational, and financial risk areas. The Program is governed by the Technology, Information Security, and Privacy Risk Management Committee and overseen by our Board of Directors (“Board”) and its Audit, Risk and Compliance Committee (“ARC Committee”). The three lines of defense model is designed to provide a structure for risk management in the first line of defense (“FLOD”), monitoring and guidance by the second line of defense (“SLOD”), and independent audit by the third line of defense (“TLOD”). Our Office of the Chief Information Security Officer oversees the Company’s information, cyber, and technology security. The Enterprise Risk Management Organization provides second line monitoring and guidance. The Technology and Information Security team serves as SLOD and provides independent oversight of our technology and cybersecurity risk mitigation practices and capabilities. As TLOD, Internal Audit independently assesses the effectiveness of our cybersecurity risk management and independently reports the results of audits to our ARC Committee to assist it in its oversight duties. Our Information Security Program includes: - Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise Information Technology (“IT”) environment; - Regular testing of our systems to identify and address potential vulnerabilities; - Integrated planning and preparedness activities supporting business continuity and operational resiliency; - Security teams principally responsible for managing (1) our annual cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; - A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; - 24/7 monitoring and measurement of cybersecurity threats through our PayPal Cyber Defense Center (“CDC”); - The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; - An information training and awareness program for our employees, contractors, incident response personnel, and senior management; and - A third-party risk management framework designed to monitor and address risks from cybersecurity incidents of service providers, suppliers, and vendors that includes due diligence over third-party’s information security and technology control environment at onboarding and periodically throughout the lifecycle of the relationship. In addition, our standard contractual terms require notification and communication from third parties in the event of a cybersecurity incident. We maintain procedures to respond to, manage and mitigate third-party cybersecurity events and vulnerabilities when identified. For a description of risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition, see “Item 1A. Risk Factors” under the captions " Cyberattacks and security vulnerabilities could result in serious harm to our reputation, business, and financial condition " and " Business interruptions or systems failures may impair the availability of our websites, applications, products or services, or otherwise harm our business. " CYBERSECURITY GOVERNANCE Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to our ARC Committee oversight of cybersecurity and other information technology risks. The ARC Committee oversees PayPal’s overall risk framework, including management’s implementation of our cybersecurity risk management program, and reports to the full Board of Directors on a regular basis on cybersecurity and information technology risk management. The ARC Committee receives periodic reports from the Chief Information Security Officer (“CISO”) on our cybersecurity risks. Management also updates the ARC Committee, as necessary, regarding cybersecurity incidents. Our CISO is responsible for implementing the information security strategy, security engineering, enabling business partners, and securing customer data, digital assets, and payments. His organization also monitors cyber regulation requirements and reviews impacts of new products and initiatives. Our CISO has over two decades of experience as a cybersecurity professional, including as a CISO at PayPal and four other organizations including leading global financial services institutions and large scale U.S. government agencies (including within the Department of Defense). He has an extensive record of success shepherding digital transformation aligned with business goals, launching cybersecurity frameworks, building security engineering teams, ensuring protection of assets, data, privacy, and company reputation. The ARC Committee reports to the Board regarding its activities, including those related to cybersecurity risk oversight. The Board also receives briefings at least annually from management on our Information Security Program. Board members receive presentations on cybersecurity topics from our CISO and external experts from time to time as part of our continuing education to the Board on topics relevant to their service as a member of our Board. Our cybersecurity teams, overseen by our CISO, are responsible for assessing and managing our risks from cybersecurity threats, including defining security policy and board reporting of security risk. The CISO approves all security policies and oversees the identification, assessment, and management of cybersecurity risks, which provides a proactive and comprehensive approach to safeguarding our information assets. The teams have primary responsibility for our overall Information Security Program and supervise both our internal cybersecurity personnel and our external cybersecurity consultants. Our cybersecurity teams’ experience includes cybersecurity incident response, in-depth security assessments, and security emulation exercises to evaluate security profile, security research, education and outreach, and security tool development. Our cybersecurity teams, in coordination with the CDC, supervise efforts to prevent, detect, mitigate, and remediate cybersecurity threats and incidents through the operation of our incident response plan and various other means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, as well as alerts and reports produced by security tools deployed in the IT environment. The CDC team oversees, identifies, and addresses security threats aimed at safeguarding PayPal employees, consumers, and merchants.

Company Information