Coupang, Inc. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

Coupang, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 17:05:58 EST.

Filings

10-K filed on 2025-02-25

Coupang, Inc. filed a 10-K at 2025-02-25 17:05:58 EST
Accession Number: 0001834584-25-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Coupang has a cyber risk management framework designed to identify, assess, and manage cyber related risks. Cyber related risks are identified through self-identification, audits, assessments, and incidents. Our vulnerability scanning process uses both automated tools and penetration testing to identify vulnerabilities within our environment . We seek to identify, manage and reduce the risks and potential vulnerabilities by integrating controls and solutions into information security and technology projects based on severity and priority. The Chief Information Security Officer (“CISO”), who has extensive cybersecurity knowledge and skills gained from over 15 years of work experience at the Company and elsewhere, leads our global information security organization responsible for overseeing the Coupang information security program. The CISO regularly reviews our cyber strategy with technology leadership in order to integrate the cyber strategy across the organization. The CISO is updated on cybersecurity threats from experienced information security officers in our security organization on an ongoing basis and in conjunction with management, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Supporting the CISO, is the dedicated information security team, which comprises almost 200 individuals. In addition to full-time employees, external consultancy services provide us with certain information security services and specialized advice. We conduct annual assessments by certified external third-party assessors as part of our industry-recognized information security certifications, ISO 27001, 27017, 27701, and ISMS-P. We periodically have external third-party consultants conduct maturity assessments of our Information Security program. The results of these audits and assessments inform us about possible risks which are managed through our enterprise risk management process. We employ external third-party vendors to provide cyber threat intelligence when relevant information is available or as requested. We also employ systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider, customer or otherwise implicating the third-party technology and systems we use. We also have a program of Cyber Tabletop exercises, run periodically, with key people in our business, to further enhance our capabilities to respond and recover to a cyber incident. The Coupang executive leadership team provides oversight and guidance on cyber policies, procedures, and strategies. Our Board of Director’s role in risk oversight is consistent with our leadership structure, with the executive leadership team having responsibility for assessing and managing risks we face in executing our business plans, and the Board and its committees providing oversight in connection with those efforts. In addition to the full Board, the Audit Committee of the Board plays an important role in the oversight of our enterprise risk assessment and management activities, which identify key risks to our business, including risks related to cybersecurity, data privacy, and regulations, and assesses any steps taken to monitor and control such risk. The Audit Committee regularly meets with the CISO to discuss various cybersecurity matters including cyber strategy, cybersecurity risks, controls, including results of audits, mitigation strategies, areas of emerging risks, incidents, if any, and industry trends. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported to the Audit Committee through ongoing updates until resolution. We seek to identify and manage risks from cyber threat intelligence and lessons learned from known cyber incidents with our cyber risk management process and include these within our cyber risk strategy through major information security and technology enhancements and projects. As of the date of this 10-K, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition. Cybersecurity threats continue to increase, and as set out in our risk factors our services may be affected by cybersecurity and data security incidents, which could be material to the Company. See “Item 1A. Risk Factors” in this Form 10-K for additional discussion on the risks of future cyber incidents to our results of operations and financial condition.

Company Information