Clear Secure, Inc. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 26, 2025

Clear Secure, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 08:33:15 EST.

Filings

10-K filed on 2025-02-26

Clear Secure, Inc. filed a 10-K at 2025-02-26 08:33:15 EST
Accession Number: 0001856314-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY CLEAR’s information security program is managed by a dedicated Chief Security Officer (“CSO”), who has over 27 years of experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, as well as relevant academic degrees, formal military training, and industry certifications. Our CSO’s team is responsible for leading the Company’s Enterprise Risk Management Program (“ERM Program”), which integrates our cybersecurity strategy, policy, standards, architecture and processes, and through which we regularly discuss and assess identified cybersecurity risks. Our CSO attends ERM Program meetings where cybersecurity (and other) risks are identified. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, penetration tests and threat intelligence feeds, utilize a range of external experts, such as cybersecurity assessors, consultants and auditors, in evaluating and testing our cybersecurity systems. Further, CLEAR recognizes the importance of managing cybersecurity risks associated with third-party relationships as part of its broader risk management framework, as we are an organization that relies on a variety of third-party vendors, service providers, and business partners, and are aware that these relationships present potential risks to the security and integrity of our information systems. To mitigate these risks, the company works closely with vendors using our risk framework to identify, assess, and monitor potential cybersecurity threats that arise from relationships with external entities. Our approach includes conducting due diligence, enforcing contractual cybersecurity requirements, and implementing third-party cybersecurity best practices designed to align with CLEAR’s risk management objectives. In addition, the Company has established the CLEAR Security Advisory Board, which provides guidance and advice on security risk and privacy to our Board and our CSO. The CSAB is currently comprised of three external members with a range of executive national and international expertise in areas such as aviation and transportation security, physical security operations, cyber security, and privacy and data security. The CSAB meets in-person, together with management of the Company, at least annually, in addition to quarterly meetings by phone. The CSAB reports annually to our Board or our Audit Committee, and is an available resource to both management and members of the Board at any time. The full Board provides oversight of the cybersecurity program while the Audit Committee of the Board predominantly oversees risk, including data security and oversight of cybersecurity risks, providing regular updates to the full Board. The CSO is actively engaged in discussions with the Board regarding the identification, assessment, and mitigation of cybersecurity risks to ensure that appropriate resources are dedicated to managing such risks and addressing any potential adverse effects, and provides periodic reports to our Board and Audit Committee, as well as our Chief Executive Officer and other members of our senior management as appropriate. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. Although CLEAR has not experienced any material cybersecurity breaches during the reporting period, we acknowledge that cyber incidents, if they were to occur, could have a material adverse effect on our financial results. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.

Company Information