Toast, Inc. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 27, 2025

Toast, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:52:42 EST.

Filings

10-K filed on 2025-02-26

Toast, Inc. filed a 10-K at 2025-02-26 16:52:42 EST
Accession Number: 0001650164-25-000072

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the importance of managing cyber risks that we face and have established processes as part of our overall enterprise risk management, or ERM, program to identify, assess, and manage risks associated with cybersecurity. Our Board retains oversight of our cybersecurity risk management. Our cybersecurity program is informed by industry standards, including the National Institute of Standards and Technology, or NIST, Cybersecurity Framework. In general, we seek to address cybersecurity risks through a cross-functional approach that is designed to preserve the confidentiality, security and availability of the information that we collect and store. Governance Related to Cybersecurity Risks Our Board holds oversight responsibility over our strategy and risk management, including risks related to cybersecurity threats. Under the oversight of the Audit Committee, we have implemented an ERM framework that includes processes for identifying, assessing, and responding to cyber risk exposures. The enterprise risk management process is led by our chief compliance officer, where team members are responsible for working with cross-functional leadership at our Company to assess risks across designated verticals, including cybersecurity. The chief compliance officer reports on the ERM process to the Audit Committee of our Board regularly. In addition, we have established a management committee, or our Enterprise Risk and Compliance Committee, that meets regularly to review and report on the ERM framework to senior leadership. Our Chief Information Security Officer , or CISO, who has decades of experience in similar roles in the technology industry, leads and oversees our information security program, including our cybersecurity policies and information security team. This team is responsible for implementing processes designed to identify and protect company assets through prevention and detection controls. Through our cybersecurity program, we have developed prevention, response and recovery processes and procedures designed to address potential adverse impacts to our company should a cyber event or incident occur. We have implemented security and awareness training which is required for all employees during onboarding and annually thereafter, and we conduct regular phishing simulations. Management reports cybersecurity risks to the Enterprise Risk and Compliance Committee in accordance with the risk management program and to our Board’s Audit Committee in an effort to keep our Board apprised of the rapidly evolving cyber threat landscape and to enable the assessment of the effectiveness of our overall cybersecurity and compliance programs. 61 T able of Contents Cyber Risk Management and Strategy Processes to identify, assess, and manage risks presented by cybersecurity threats are integrated into our overall ERM program and are informed by industry cybersecurity standards, including the NIST Cybersecurity Framework . Our CISO, in collaboration with the team responsible for the ERM program and the information security team, conducts a risk assessment process to regularly evaluate, monitor, manage, and mitigate cybersecurity risks. This process is also supported by periodic security testing and monitoring. Our CISO reviews and contributes to the cybersecurity risk reporting that is provided to the Audit Committee of our Board on a quarterly basis. The quarterly updates include cybersecurity risk assessment results, which include risks associated with the use of third-party service providers, and cover efforts to mitigate previously identified risks. Our CISO also oversees the cybersecurity incident response team and is responsible for updating our Board on any cybersecurity incidents, including the mitigation and remediation of these incidents, should they occur. As discussed within “Item 1A, Risk Factors”, we rely on service providers to process sensitive business information. As part of our risk management program, we have implemented a process to conduct a security review of third-party service providers, including through vendor questionnaires and contractual-related security requirements, as appropriate. In addition, we engage third-party experts , including external legal counsel and cybersecurity advisors, to assist in our identification and management of cybersecurity risks as needed. We have established an incident response process to assess, respond, and report in the event that a cybersecurity incident is detected. Management has also assembled a committee and an escalation protocol in connection with evaluating cybersecurity incidents for any potential disclosure obligations arising from such incidents. Cybersecurity is incorporated into our overall business strategy as cybersecurity risks may have a negative impact on our business as outlined within “Item 1A, Risk Factors.” Although risks from cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats to and security incidents of our and our third-party vendors’ data and systems. For more information, please see “Item 1A, Risk Factors.”

Company Information