Ibotta, Inc. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 27, 2025

Ibotta, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 17:32:12 EST.

Filings

10-K filed on 2025-02-26

Ibotta, Inc. filed a 10-K at 2025-02-26 17:32:12 EST
Accession Number: 0001628280-25-008240

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Management has established policies and processes to identify, analyze, mitigate, and manage cybersecurity risks relevant to our platform, and has integrated these processes into the Company’s overall risk management processes. Various types of risks are considered, including, but not limited to, fraud, technological, compliance, and vendor risks. Our program for assessing, identifying, and managing material risks from cybersecurity threats includes the following key controls: - To protect our systems and applications, we maintain endpoint security protection on all employee laptops and desktops, including industry-standard firewalls, monitoring, and intrusion detection practices. - We require multi-factor authentication to access our critical systems and applications. - We employ strong password standards for our systems and applications. We also employ firewalls across our infrastructure to guard against threats. - We provide ongoing security training to our employees and contractors about information security policies and practices, including phishing simulations. - Our process for managing third-party risk includes security assessments of key third-party service providers before entering into or renewing business with them or granting them access to our data or information systems. Additionally, we impose contractual restrictions on these providers based on their risk profile. - We maintain enterprise-wide policies and procedures for reporting and managing security incidents, including prompt reporting of all incidents. We perform incident response simulations on at least an annual basis. We engage with independent third-party auditors to perform SOC2 assessments on an annual basis. We also engage with a third party to conduct penetration testing at least annually to identify threats and assess their potential impact to system security. Any vulnerabilities identified in this process are triaged by our information security team and handled in accordance with our vulnerability management process. 67 Table o f Contents As of the date of this report, we have not experienced any cybersecurity incidents that have materially affected us, including our business strategy, results of operations, or financial condition. For certain risks from cybersecurity threats that may materially affect our business strategy, results of operations, or financial condition, see Item 1A, “Risk Factors,” including the section titled, " If our security measures or information we collect and maintain are compromised or publicly exposed, publishers, CPG brands, retailers, and consumers may curtail or stop using our platform, and we could be subject to claims, penalties, and fines." Governance Our Board of Directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee. Ou r Chief Technology Officer oversees our security team, which is responsible for our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The security team consists of experienced engineers and analysts. All senior members of the team have industry recognized accreditations or commensurate experience. Our security team meets at least weekly and holds quarterly meetings with cross-functional leadership to report on cybersecurity risks and threats. Representatives from our security team provide quarterly updates to the Audit Committee and/or Board of Directors regarding the Company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like.

Company Information