Snap Inc 10-K Cybersecurity GRC - 2025-02-04

Page last updated on February 5, 2025

Snap Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-04 19:53:49 EST.

Filings

10-K filed on 2025-02-04

Snap Inc filed a 10-K at 2025-02-04 19:53:49 EST
Accession Number: 0001564408-25-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Our engineering security team, led by our Chief Information Security Officer, or CISO, uses a multi-pronged approach to assessing, identifying, and managing material risks from cybersecurity threats. This approach includes identifying and assessing risks through: (1) an enterprise risk management program, which is periodically refreshed and includes an identification of our top risks, including cybersecurity risks; (2) formalized security and privacy reviews designed to identify risks from many new features, software, and vendors; (3) a vulnerability management program designed to identify hardware and software vulnerabilities; (4) an internal “red team” program, which simulates cyber threats, intended to allow us to fix vulnerabilities before threat actors identify them; (5) a threat intelligence program designed to model and research our adversaries; and (6) a privacy and security incident response program designed to investigate, respond to, and remediate known incidents. These processes vary in scope and maturity across the business and are processes we work to improve. Our risk management approach is supplemented by external and internal enterprise risk management audits, which are designed to test the effectiveness of our controls. We conduct penetration testing or other application security testing on a periodic basis, and have established an external bug bounty program to allow security researchers to help identify vulnerabilities and weaknesses in our controls and configurations in our systems. We also maintain a vendor risk management program designed to identify and mitigate potential risks associated with third-party suppliers and business partners. This program includes pre-engagement diligence, use of contractual cybersecurity and incident notification provisions, and ongoing monitoring of vendors, as appropriate. We also conduct employee training on data protection, including cybersecurity, among other topics. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example professional service firms (including legal counsel), threat intelligence services, and cybersecurity consultants. The material cybersecurity threats identified through these processes are managed by our CISO and are escalated to senior management and our risk and compliance committee, in each case where appropriate. Together, they identify responsive actions for inclusion in our annual strategic planning, or earlier resolution depending on the nature of the risk. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see “Risk Factors” in Part I, Item 1A in this Annual Report on Form 10-K. Governance Our board of directors maintains oversight of risks from cybersecurity threats by meeting with and receiving periodic updates from our CISO, via our audit committee, which is assigned oversight of cybersecurity risks. In addition, the chair of our audit committee meets with our CISO periodically to discuss cybersecurity threats and incidents, as well as the business’s approach to responding to them. Our incident response plans also provide that our board of directors and audit committee will be notified in the event of certain cybersecurity incidents. Our CISO, Jim Higgins, has over 30 years of experience in the technology sector, including senior leadership roles in product security, information security engineering, and cloud enterprise. Mr. Higgins assisted the Linux Foundation in starting the Open Source Security Foundation to help increase awareness and promote technical solutions to address validation of Open Source software. Mr. Higgins has worked in information security at Chevron, Eastman Kodak, and Google, and, mostly recently, spent two years as the CISO of Block, Inc. (formerly Square). Our CISO also regularly meets with our CEO and other senior management, including as part of the cybersecurity incident response process. Our CISO, and where appropriate our management team and risk and compliance committee, are informed about and monitor the prevention, detection, mitigation, and remediation of identified cybersecurity incidents, through our security incident response process. We maintain internal and external channels and signals to receive reports of cybersecurity or privacy threats or incidents. A reported incident triggers our Security Incident Response Policy or associated plans, which has defined roles for our cross-functional incident response team to investigate, contain, eradicate, and remediate the incident. The incident response team assesses the severity and priority of reported incidents on a rolling basis, with escalations of cybersecurity incidents provided to our management team by our CISO and General Counsel (or their designees) and escalations of certain cybersecurity incidents as appropriate to our board of directors. If a cybersecurity incident is determined to be a material cybersecurity incident, our Security Incident Response Policy and associated plans define the process to file a report regarding the incident with the SEC. Mr. Higgins recently announced his intention to depart our company effective February 21, 2025 and, as a result, Eric Young, our Senior Vice President of Engineering, will act as our interim CISO while we conduct a search for a permanent replacement. Mr. Young has more than 25 years of experience working in the technology industry across a diverse range of business sectors and since June 2023 has overseen Mr. Higgins and our engineering security team, which comprises personnel with a broad range of experience in cybersecurity, information technology, and risk management. During Mr. Young’s tenure at Snap, Mr. Young has been involved in our approach in assessing, identifying, and managing security incidents.

Company Information