Roblox Corp 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

Roblox Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 08:44:49 EST.

Filings

10-K filed on 2025-02-18

Roblox Corp filed a 10-K at 2025-02-18 08:44:49 EST
Accession Number: 0001315098-25-000033

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have an enterprise-wide information security program that is designed to identify, protect, detect, and respond to significant cybersecurity risks and threats and we have integrated this program into our overall enterprise risk management systems and processes. We routinely assess material risks from cybersecurity threats, including taking reasonable steps to detect any potential unauthorized occurrence on or behaviors conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We maintain an incident response plan designed to identify, evaluate, respond to, and recover from a cybersecurity incident. The plans are designed to be flexible so that they may be adapted to an array of potential scenarios, and provide for the creation of cross-functional incident response teams in the event of a cybersecurity incident. We also periodically conduct testing, simulations, and tabletop exercises to help support our overall preparedness for a cybersecurity incident. Risk Management and Strategy We conduct periodic risk assessments to identify significant cybersecurity threats that may affect information systems that are vulnerable to such cybersecurity threats and regularly review these risk assessments for changes in our business practices and the external cybersecurity landscape as well as the impacts of our security processes. These risk assessments include identification of reasonably foreseeable internal and external risks and evaluation of the likelihood and potential damage that could result from the realization of such risks. Following our risk assessments, we evaluate when and how to design, implement, and maintain reasonable safeguards to minimize the identified risks and address any identified gaps in existing safeguards, and proceed with such design, implementation, and maintenance as deemed appropriate. We devote significant resources and designate high-level personnel, including our Chief Information Security Officer (“CISO”) who reports to our Chief People and Systems Officer, to manage the risk assessment and mitigation process. Our CISO has served in various roles in information technology and information security for over 15 years, including leading information security initiatives and incident response at two other large public companies and serving as the Chief Security Officer for the Arkansas Department of Human Services and working for the United States Department of Defense. He has an MS in Information Assurance from the University of Advanced Technology in Arizona and a BS in Computer Science from the University of Arkansas at Little Rock. All employees receive cybersecurity training during their onboarding. In addition, we have implemented a cybersecurity awareness program designed to educate employees on best security practices, emerging risk areas, and how to identify and report security threats. We include security expectations in employee performance management systems. We also engage third-party service providers in connection with our risk assessment process and certain risk management processes. Our collaboration with these third-party service providers includes threat assessments, risk analyses, assessments of the effectiveness of our cybersecurity program, policies and practices, and consultations on opportunities and potential enhancements to strengthen our cybersecurity program. We perform risk-tiered information security risk reviews for certain third-party service providers who have access to sensitive Company, user or employee information, reviewing areas such as data protection, endpoint management and protection, phishing, business continuity, and incident response management. We contractually require certain third-party service providers with access to our information technology systems, sensitive business data, and/or personal information to implement and maintain appropriate security controls and provide for contractual restrictions on their ability to use our data. Certain of our service providers are contractually required to notify us promptly of information security incidents that may affect our systems or data, including personal information. We also share and receive threat intelligence with federal, state, and local government agencies, peers and other organizations, information sharing and analysis centers, and cybersecurity associations. Governance Our Board of Directors has the ultimate responsibility for the oversight of our risk management framework, which is designed to identify, assess, and manage risks to which our Company is exposed, as well as to foster a corporate culture of integrity. Management is responsible for the day-to-day oversight and management of strategic, operational, legal and compliance, cybersecurity, and financial risks. The Audit and Compliance Committee (the “ACC”) is central to the Board of Directors’ oversight of cybersecurity risks and has been delegated the primary responsibility for this domain. The ACC is composed of independent board members with diverse expertise including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. The ACC has also engaged a cybersecurity advisor to assist them in cybersecurity matters. In overseeing the Company’s cybersecurity risks and mitigation strategies, at least quarterly the CISO, members of management, and the ACC’s cybersecurity advisor, review and discuss with the ACC guidelines, practices and policies to identify, monitor, and address enterprise risks, including cybersecurity risks. The ACC then oversees and monitors management’s plans to address such risks. Our CISO, and management committee on cybersecurity consisting of our Chief People and Systems Officer, General Counsel, Chief Financial Officer, and CISO , are primarily responsible for assessing and managing our material risks from cybersecurity threats and overseeing our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The processes by which our CISO, and our management committee on cybersecurity, are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents includes both manual reviews and automated reviews of our systems and data, a bug bounty program, self-reporting, participation in information sharing forums on cybersecurity, proactive education of our service providers and product and application security reviews. In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan to guide response actions. This incident response plan includes immediate actions to assess and mitigate the impact of the incident, long-term strategies for remediation and prevention of future incidents, and provides for internal notification of the incident functional areas (e.g. legal) as well as senior leadership and the ACC of the Board of Directors, as appropriate. Our CISO provides briefings to the ACC at least quarterly regarding, among other topics, recent notable cybersecurity incidents, even if immaterial, and the Company’s response, cybersecurity systems testing results, the Company’s cybersecurity threat landscape, which includes emerging risks and threats, compliance with regulatory requirements and industry standards. Notwithstanding the extensive approach we take to cybersecurity, including managing associated risks, we may not be successful in managing risks from cybersecurity threats, including identifying, preventing, or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. During the last fiscal year, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that materially affected the Company, including its business strategy, results of operations, or financial condition. However, we face ongoing and increasing cybersecurity risks, including those from threat actors who are becoming more sophisticated and effective over time. If realized, these risks may materially affect the Company. For additional information regarding the cybersecurity risks we face, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factors entitled “Risks Related to Our Business: If the security of our Platform is compromised, it could compromise our and our developers’, creators’, and users’ private information, disrupt our internal operations, and harm public perception of our Platform, which could cause our business and reputation to suffer.”

Company Information