Robinhood Markets, Inc. 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

Robinhood Markets, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 16:07:19 EST.

Filings

10-K filed on 2025-02-18

Robinhood Markets, Inc. filed a 10-K at 2025-02-18 16:07:19 EST
Accession Number: 0001783879-25-000049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We rely on technology, including the internet and mobile services, to conduct much of our business activity and allow our customers to conduct financial transactions on our platform. As a result, our systems and operations as well as those of the third parties on which we rely to conduct certain key functions are vulnerable to cybersecurity incidents, which we have experienced in the past. Although no organization can eliminate cybersecurity and information technology risk completely, w e have a cybersecurity program that includes physical, technological, and administrative controls designed to detect, contain, respond to and remediate cybersecurity threats and incidents and defined processes to assess, identify and manage material risks from cybersecurity threats. These controls and processes include, among others: - maintaining a vulnerability management program that performs regular vulnerability scans and relies on our risk-based information security program to promote coverage of critical areas; - establishing an offensive security team that actively tests our security controls, imitating methods persons trying to achieve unauthorized access might use to identify any weaknesses; - our global privacy program supported by our privacy engineering and privacy legal teams; - maintaining an incident response plan which outlines the roles and responsibilities of key personnel in the event of a cybersecurity incident; - conducting mandatory annual security and privacy training for employees and contractors and, where appropriate, giving employees and contractors role-based training focused on content specific to their role at the Company; - undertaking an annual review of our consumer facing policies and statements related to cybersecurity; - requiring our employees to treat customer information and data with care through policy, practice and contract (as applicable); and - carrying cybersecurity insurance that provides some protection against potential losses arising from a cybersecurity incident. Our cybersecurity program is managed by the Company’s Security and Corporate Engineering organization, which is led by our CSO , who reports directly to the CEO. Our CSO has over twenty years of experience in the security industry and has held a variety of leadership positions in cybersecurity at Capital One, including as Vice President, Divisional Chief Information Security Officer. Additionally, several of Robinhood’s subsidiaries, including RHC, RHF, and RHS, have a Chief Information Security Officer, who reports to the CSO, and a Risk Operating Committee (“ROC”) that manages risks, including cybersecurity risks, specific to each entity’s business. Each of our Chief Information Security Officers has expertise in cybersecurity, industry and regulatory standards, risk management, and security operations. The Security organization elevates risks to the relevant ROCs where applicable. Our cybersecurity program is aligned with industry standards and best practices, such as the NIST CSF, and we engage third-party consultants annually to conduct a NIST CSF maturity assessment of our cybersecurity program. We maintain a Third Party Security and Privacy Standard and conduct security reviews of vendors, including for potential fourth-party risks, prior to and during their contracts with Robinhood and require all third-party service providers with access to personal, confidential or proprietary information to implement and maintain cybersecurity practices consistent with applicable legal standards and industry standards. Any identified security or privacy risks of doing business with a vendor, including potential fourth-party risks, are highlighted to business owners to help make informed risk-based decisions. We also engage the assistance of third-party consultants to increase protection of our information and IT systems and network to help secure long-term value for our stakeholders. Services provided by third-party consultants include, but are not limited to: regular assessments of our cybersecurity program including cyber maturity assessments and penetration tests; risk scoring of our critical business partners and vendors; and participating in incident response processes. Our management is responsible for the Company’s day-to-day risk operations and management processes. Management has established cybersecurity standards to improve the Company’s cybersecurity risk posture and to help define and implement appropriate measures to protect the Company’s systems and data from cyber threats. In addition to our Internal Audit and Compliance functions, the ERM team partners with various front-line risk teams and risk owners across Robinhood, to foster consistent risk management practices across Robinhood. In particular, the ERM team provides governance over risk management practices and reports on a quarterly basis on top risks to the Safety Committee, along with planned mitigants and monitoring procedures. If a cybersecurity incident occurs, incident response procedures are in place to facilitate the appropriate reporting to the CSO, and business continuity plans are mobilized to minimize disruption to business operations. We have also implemented guidelines to outline communications responsibilities during incidents of all severity levels, including an escalation process for alerting senior management of high severity and material incidents. If a significant cybersecurity incident occurs, we will conduct an assessment to determine if it is material to us. If a materiality assessment is required, the CSO will report such an incident to our Materiality Assessment Committee (“MAC”), which consists of the CFO, CLO, and CBO (in addition to the CSO) and notify the CEO. The MAC will then determine, without unreasonable delay, whether the incident is material to the Company. In making such determination, the MAC may consult with the CEO, other members of the Company’s management, and the Company’s outside professional advisors, in each case, as appropriate. The incident materiality determination will be made by considering all relevant quantitative and qualitative factors, including without limitation: the nature, size and scope of the incident; financial condition; results of operations; litigation or regulatory investigations/actions; the Company’s reputation, and customer and vendor relationships; and competitiveness. The principal role of our board of directors and the Safety Committee, a board-level committee composed solely of independent directors, is one of oversight, recognizing that management is responsible for the design, implementation, and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. The Safety Committee reviews management’s exercise of its responsibility to identify, assess, manage, monitor and mitigate material risks not specifically allocated to the board of directors or another of its committees. The Safety Committee has been explicitly assigned the responsibility to oversee risks from cybersecurity threats, among others, and the full board of directors will be notified when the MAC is assessing a cybersecurity incident and informed of any required disclosures. Our board of directors and Safety Committee receive updates on relevant industry developments, threats, and material risks identified as needed each quarter , including material legal and legislative developments, concerning data privacy and security, the rapidly evolving cybersecurity risk landscape, and the Safety Committee facilitates the board of directors’ oversight responsibilities. Our systems and those of our customers and third-party service providers have been and might in the future be vulnerable to cybersecurity threats. For more information about risks related to cybersecurity threats, including previous cybersecurity incidents (including the November 2021 Data Security Incident (defined below)), that have materially affected or are reasonably likely to materially affect our business, financial condition, and results of operations, see “Risk Factors- Our business could be materially and adversely affected by a cybersecurity breach or other cybersecurity incident involving our information systems or data or those of our customers or third-party or fourth-party service providers .”

Company Information