Page last updated on February 25, 2025
Compass, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:46:11 EST.
Filings
10-K filed on 2025-02-25
Compass, Inc. filed a 10-K at 2025-02-25 16:46:11 EST
Accession Number: 0001563190-25-000050
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity. Overview of the Cybersecurity Program Compass operates a cybersecurity program designed to identify, assess, and mitigate cybersecurity risks to protect our information assets, ensure business continuity, and maintain stakeholder trust. Guided by industry best practices, including the National Institute of Standards and Technology’s Cybersecurity Framework (“NIST CSF”) and the Center for Internet Security (“CIS”) Critical Controls, we focus on continuous improvement to address emerging threats and vulnerabilities. We recognize the evolving nature of cybersecurity threats and regularly enhance our security controls, processes, and policies to adapt to these risks. As part of our cybersecurity program, we undertake various activities and programs, including, but not limited to: detective, preventative, corrective, and technical controls; identity and access management systems; periodic risk assessments, including penetration testing; periodic end-user training and simulations; incident response; vulnerability management; infrastructure and application security; corporate security; and policies for the handling of personally identifiable information and other restricted data. We closely monitor privacy and cybersecurity laws and regulations and conduct related reviews of our policies. We have implemented incident response plans that provide for the response, containment, eradication, reporting, and disclosure of security incidents. We also carry customary cybersecurity risk insurance and have a retainer in place for third-party incident response and forensics resources. Cybersecurity Risk Management Program Cybersecurity is an ongoing priority, and we have developed and implemented a cybersecurity risk management program designed to identify, assess, prioritize, and mitigate cybersecurity risks to ensure our compliance with applicable privacy and cybersecurity laws. Our cybersecurity risk management program is integrated with our overall enterprise risk management program and is a crucial component of our risk assessment process . For instance, we report on, review, and consider the results and findings from external and internal security and privacy assessments as part of our risk program. Additionally, we analyze how cybersecurity risks interact with operational, financial, compliance, and reputational risks. When appropriate, we also engage third-party service providers to evaluate, test, or assist with specific elements of our cybersecurity risk management program . For instance, we utilize external assessors, including security researchers and penetration testers, to identify and report vulnerabilities in our information systems. Further, our cybersecurity risk management program includes a third-party risk management program to assess and manage cybersecurity risks associated with our use of third-party services providers that have access to our information systems and/or employee, agent or agent client confidential information . For example, we perform certain due diligence before engaging third-party service providers and consider potential cybersecurity risks and exposures in our choice among providers. We also generally require our third-party service providers that could potentially introduce cybersecurity risks to our information systems or sensitive consumer personal information to contractually agree to maintain a cybersecurity risk management program aimed at mitigating those risks and be subject to external cybersecurity audits. Cybersecurity Risks Associated With Cybersecurity Threats While we have been subject to a number of cybersecurity threats and experienced non-material incidents in the past, as of the date of this Annual Report, they have not had a material adverse effect on our business, financial condition or results of operations . Our third-party service providers have also been subject to a number of cybersecurity threats and incidents, but to date, none of those threats and incidents have had a materially adverse effect on our business, financial condition, or results of operations. Please refer to the “Risk Factors” section of this Annual Report for additional information related to the cybersecurity risks that could potentially impact our business. Cybersecurity Governance Our Information Security team oversees our cybersecurity program, which is described in more detail above. In conjunction with the Company’s in-house legal team, this team is principally responsible for managing our cybersecurity risk management program, our security controls, and our response to cybersecurity threats, and incidents. We have also established a Security and Privacy Committee (“Committee”), co-chaired by our Senior Vice President, Head of Engineering, Chief Information Security Officer (“CISO”) and General Counsel, that meets monthly. This Committee is responsible for setting cybersecurity policies, strategies, and priorities, as well as ensuring that cybersecurity initiatives are aligned with the Company’s objectives. Members of the Committee may, from time to time, include representatives from information security, internal audit, legal, product, engineering, finance, operations, strategy and people and culture functions. In addition to the monthly communications at the Committee level, our Information Security team collaborates with senior leadership across our organization on a regular basis as part of the Company’s overall enterprise risk management program. In 2024, we hired a new Chief Information Security Officer to oversee the cybersecurity program and lead the Information Security team. Our CISO has over 17 years of experience building security teams and driving security initiatives for public, high-growth, and regulated companies. He is a Certified Information Systems Security Professional and reports to our Senior Vice President and Head of Engineering. Our CISO reports quarterly to the Audit Committee of our board of directors (the “Audit Committee”), which is responsible for overseeing the Company’s cybersecurity risk management program and cybersecurity risks. As part of that report, our CISO covers topics such as (i) an overview of our overall cybersecurity strategy and posture, (ii) results and recommendations from cybersecurity risk assessments and audits, (iii) vulnerabilities in our information systems, (iv) progress towards pre-determined risk-mitigation goals, (v) identified and potential cybersecurity risks and threats, (vi) cybersecurity incidents of certain impact in accordance with the Company’s cybersecurity policies, and (vii) programs related to mitigation of cybersecurity risks and potential threats, among other things. The Audit Committee reports to the full board of directors regarding its activities, including reports that it receives from our CISO.
Company Information
| Name | Compass, Inc. |
| CIK | 0001563190 |
| SIC Description | Services-Computer Programming Services |
| Ticker | COMP - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |