SHOPIFY INC. 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

SHOPIFY INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 07:02:46 EST.

Filings

10-K filed on 2025-02-11

SHOPIFY INC. filed a 10-K at 2025-02-11 07:02:46 EST
Accession Number: 0001594805-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity At Shopify, cybersecurity risk management is an important part of our overall enterprise risk management effort. Shopify has defined a risk management framework that is designed to find, assess and respond to potential cybersecurity risks that threaten the effectiveness of its security posture. To identify and assess risks from cybersecurity threats, we evaluate information from a variety of sources including threat intelligence feeds, penetration tests and bug bounty reports and monitor observed cybersecurity incidents. We engage third-party security experts and consultants to assist with assessment and enhancement of our cybersecurity risk management processes, as well as benchmarking against industry practices. Additionally, we review third party software and services and personnel who contract with Shopify to provide Shopify services and that share or receive data, or have access to or integrate with our systems, to assess potential risks from cybersecurity threats associated with our use of such third-parties, and generally require third parties to, among other things, maintain security controls to protect our confidential information and data. Our Internal Audit function provides independent assessment and assurance on the operations of our cybersecurity program and the supporting control frameworks through risk-based Internal Audit projects authorized by the audit committee of our board of directors (the “Audit Committee”). We maintain a security incident response plan designed to monitor, analyze, address, escalate, contain and report, as appropriate, cybersecurity incidents. In addition, our employees receive cybersecurity training designed to enhance awareness of cybersecurity risks. Our board of directors has overall oversight of enterprise risk management and Audit Committee has direct oversight responsibility for cybersecurity risk. The Audit Committee also reviews and discusses periodic reports prepared by the Head of Risk and Internal Audit on the effectiveness of Shopify’s overall risk management programs, control processes and governance procedures, together with management’s response. Matters that are determined to represent an elevated level of risk may be escalated to the board of directors for consideration, at the discretion of the Audit Committee. Management’s cybersecurity program operates under the leadership of our Chief Information Security Officer (“CISO”) . The CISO leads our cybersecurity program, sets the direction for security across the Company and leads the Shopify Trust team, including oversight of incident identification, prevention, detection, response and recovery. Our CISO holds a Bachelors of Software Engineering and has over twenty years of security experience. The Trust team is comprised of personnel with a broad range of experience across the private and public sectors, the technology industry and different geographic regions. The CISO provides periodic reports to the Audit Committee on the cybersecurity program. 43 Table of C ontents In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. Despite these protective efforts, we cannot eliminate all risks from cybersecurity threats, nor can we provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A “Risk Factors” in this Annual Report on Form 10-K under the caption " Security breaches, improper access to or disclosure of our data, merchant data and buyer data other hacking and phishing attacks on our systems, or other cyber incidents could impact or interrupt service to our merchants, their buyers and others who use our services, harm our reputation, subject us to significant liability and adversely affect our business and financial results “.

Company Information