ROKU, INC 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

ROKU, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 16:04:14 EST.

Filings

10-K filed on 2025-02-14

ROKU, INC filed a 10-K at 2025-02-14 16:04:14 EST
Accession Number: 0001428439-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our enterprise-wide approach to risk management is designed to support the achievement of our organizational and strategic objectives and improve long-term organizational performance. Cybersecurity is a critical component of our enterprise risk management approach, and cybersecurity risks are among the enterprise risks that are subject to oversight by our Board and the Audit Committee of our Board (the “Audit Committee”). Our cybersecurity program is designed to assess, identify, and manage cybersecurity risks and threats. Key components of our cybersecurity program include: - managing cybersecurity threats by deploying technical safeguards that are designed to protect our information systems from cybersecurity threats, which we evaluate and seek to improve, including through vulnerability assessments and cybersecurity threat intelligence; - maintaining cybersecurity incident management procedures to address incident reporting, classification, escalation, response, and recovery, and facilitate efficient and consistent management of cybersecurity incidents involving our information systems; - assessing and testing our cybersecurity policies and practices via internal efforts (such as assessments, vulnerability testing, threat modeling, tabletop exercises, and other exercises focused on evaluating the effectiveness of our cybersecurity measures) and by engaging third parties (including cybersecurity consulting firms) to perform assessments of our cybersecurity measures and manage our bug bounty program; - a cybersecurity risk management process for third-party vendors, including, among other things, a security assessment and contracting process for vendor applications and implementing contractual security measures with third-party vendors; and - cybersecurity awareness training is available for all employees and enhanced training is provided for certain employees. Cybersecurity Governance As part of its broader risk oversight activities, the Board oversees risks from cybersecurity threats, primarily through delegation to the Audit Committee. As reflected in its charter, the Audit Committee assists the Board in reviewing our significant cybersecurity matters and concerns. The Audit Committee engages on cybersecurity matters with our management team, including our Vice President of Product and Enterprise Security, who regularly provides presentations to the Audit Committee on our cybersecurity governance and compliance programs. These presentations address a range of topics including, for example, the threat landscape and cybersecurity events, vulnerability assessments, incident preparedness assessments, disaster recovery plans, and cybersecurity awareness training. Two additional members of our Board, who have cybersecurity experience but are not members of the Audit Committee, are invited to attend Audit Committee meetings when review of our cybersecurity program is on the agenda. In addition, the full Board receives regular updates on the activities of the Audit Committee, including with regard to cybersecurity oversight. Our Vice President of Product and Enterprise Security is principally responsible for overseeing our cybersecurity risk management program, in partnership with other members of management. Our Vice President of Product and Enterprise Security has over 30 years of experience in cybersecurity and information technology roles, including executive leadership positions at public and private companies. In addition, our Executive Incident Management Team (“EIMT”) is a cross-functional management committee dedicated to providing executive-level guidance on the cybersecurity incident response process to facilitate an appropriate and timely response, make decisions related to cybersecurity incidents, and notify appropriate parties with relevant cross-functional expertise in the event of a cybersecurity incident. Our Product and Enterprise Security team is responsible for the day-to-day identification, assessment, and management of information security risks and provides regular updates to our Vice President of Product and Enterprise Security regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. Cybersecurity incidents are escalated to our Vice President of Product and Enterprise Security, the EIMT, and the Chair of our Audit Committee in accordance with our cybersecurity incident management procedures, so that decisions can be made regarding incident reporting and disclosure in a timely manner. Notwithstanding our cybersecurity risk management and governance, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information regarding the cybersecurity risks we face, see Item 1A, Risk Factors, elsewhere in this Annual Report, under the caption “Data security incidents, including cybersecurity attacks, or other significant disruptions of our information technology systems could harm our reputation, cause us to modify our business practices, and otherwise adversely affect our business and subject us to liability.” Item 3. Legal Proceedings Information with respect to this item may be found in Note 12 to the consolidated financial statements in Item 8 of this Annual Report, which is incorporated herein by reference.

Company Information