Uber Technologies, Inc 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

Uber Technologies, Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 16:06:34 EST.

Filings

10-K filed on 2025-02-14

Uber Technologies, Inc filed a 10-K at 2025-02-14 16:06:34 EST
Accession Number: 0001543151-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Safeguarding our critical networks and the information that platform users share with us is vital to our business. One key way that Uber addresses this need is through its cybersecurity program, which includes a cybersecurity risk management program. Uber’s Chief Information Security Officer (“CISO”) is responsible for the cybersecurity program, which is coordinated and primarily executed by the global organization of engineers focused on risk management using the NIST Framework (Govern, Identify, Protect, Detect, Respond, and Recover) and activities such as automation, secure development, and advanced analytics and monitoring. The CISO has served in such role since February 2021 and has more than 20+ years of engineering and/or cybersecurity experience, including previously as CISO and Deputy Chief Technology Officer at a Fortune 500 company. The cybersecurity program is also supported by Uber’s Chief Privacy Officer and Associate General Counsel, Privacy & Cybersecurity (“CPO”), who has served in that role since August 2018. The CPO has over three decades of experience as a legal advisor to multinational corporations, including serving as Chief Privacy & Security Counsel for a Fortune 100 technology company prior to her role at Uber. The cybersecurity program is supported by other members of Uber’s senior management team as well, including the Chief Legal Officer, Chief Architect Officer, and Global Data Protection Officer. Uber’s Board of Directors oversees the cybersecurity program through regular updates. This cybersecurity program is a critical component of Uber’s enterprise risk management program, through which Uber reviews business, cybersecurity, information technology, privacy, legal, and geopolitical risks, among others. The cybersecurity program is designed to assess, identify, and manage risks from cybersecurity threats. Key elements of this program include: - Oversight and Governance. Uber’s Board oversees the cybersecurity program, and Uber’s risk profile with respect to cybersecurity matters, through regular reports and reviews. These include presentations by the CISO to the Board and Audit Committee on an alternating quarterly basis, quarterly reports of certain cybersecurity incidents to the Board, and annual reports by the CPO to the Board. The CISO also provides quarterly updates to Uber’s senior management regarding cybersecurity risks, as well as interim updates during regular meetings with Uber’s engineering, product and internal audit leadership. The CISO and CPO also jointly chair Uber’s Privacy and Cybersecurity Council, which provides a venue for cross-functional insight and input into the cybersecurity program and our privacy program as they relate to Uber’s business operations. - Internally conducted environment and vulnerability assessments. These include regular assessments performed by Uber’s security engineering teams. The findings from these assessments are reported to Uber’s senior management, including the CISO, and the Board or Audit Committee. In addition, our internal audit function periodically conducts additional reviews and assessments, which are reported to the Audit Committee. We also conduct table-top exercises to simulate the response to cybersecurity incidents; participants may include, among others, the CISO, the CPO, and representatives from communications, investor relations, finance and legal. - Independent third-party audits and assessments by industry-leading firms. As a global organization, Uber undergoes annual audits to maintain its certification as a Payment Card Industry Data Security Standard (PCI DSS 4.0) Level 1 Merchant and Service provider. Uber also undergoes annual audits to maintain its ISO 27001 certification for its core mobility, delivery, and enterprise businesses, and SOC 2 attestations that vary depending on the Uber product. 45 - Cyber incident management. This includes efforts by Uber’s security engineering team, at the direction of the CISO, to review potential incidents identified by Uber’s internal teams, Uber’s third-party service providers or external researchers through Uber’s Bug Bounty program; identify those which represent potential or actual threats to Uber’s systems, data or users; investigate and mitigate the cause and impact of such incidents; and implement safeguards to help prevent recurrence. Uber’s CPO and legal team support such efforts, including in connection with legal or disclosure obligations triggered in connection with any such incidents. - Third Party Risk Management. Uber performs due diligence regarding its third-party suppliers, service providers and business partners. This includes requiring submission of evidence demonstrating third parties’ ability to meet Uber’s cybersecurity and data handling requirements. In addition, Uber’s third-party suppliers and service providers who process Uber personal data are contractually obligated to notify Uber if they experience certain incidents impacting Uber personal data. For a discussion regarding risks from cybersecurity threats, see our risk factors, including the risk factors titled “- We have experienced, and may experience security or privacy breaches or other unauthorized or improper access to, use of, disclosure of, alteration of or destruction of our proprietary or confidential data, employee data, or platform user data, which could cause loss of revenue, harm to our brand, business disruption, and significant liabilities” , “-Cyberattacks, including computer malware, ransomware, viruses, denial of service attacks, spamming, phishing and social engineering attacks could harm our reputation, business, and operating results”, “-We currently are subject to a number of inquiries, investigations, and requests for information from the DOJ, other federal, state and local government agencies and other foreign government agencies, the adverse outcomes of which could harm our business” and “-We face risks related to our collection, use, transfer, disclosure, and other processing of data, which could result in investigations, inquiries, litigation, fines, legislative and regulatory action, and negative press about our privacy and data protection practices” in Part I, Item 1A of this Annual Report on Form 10-K.


Company Information

NameUber Technologies, Inc
CIK0001543151
SIC DescriptionServices-Business Services, NEC
TickerUBER - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30