Opendoor Technologies Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Opendoor Technologies Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:19:35 EST.

Filings

10-K filed on 2025-02-27

Opendoor Technologies Inc. filed a 10-K at 2025-02-27 16:19:35 EST
Accession Number: 0001801169-25-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity " for additional information regarding our cybersecurity governance, risk management and strategy. Internet law is evolving, and unfavorable changes to, or failure by us to comply with, these laws and regulations could adversely affect our business, results of operations, and financial condition. We are subject to regulations and laws specifically governing the internet. The scope and interpretation of the laws that are or may be applicable to our business are often uncertain, subject to change, and may be conflicting. If we incur costs or liability as a result of unfavorable changes to these regulations or laws or our failure to comply therewith, our business, results of operations, and financial condition could be adversely affected. Any costs incurred to prevent or mitigate this potential liability could also harm our business, results of operations, and financial condition. Our fraud detection processes and information security systems may not successfully detect all fraudulent activity by third parties aimed at our employees or customers, which could adversely affect our reputation and business results. Third-party actors have attempted in the past, and may attempt in the future, to conduct fraudulent activity by engaging with our customers, particularly in our title insurance and escrow business. We make a large number of wire transfers in connection with loan and real estate closings and process sensitive personal data in connection with these transactions. We may not be able to detect and prevent all fraudulent activity on our mobile applications, websites, and internal systems. Similarly, the third parties we use to effectuate these transactions may fail to maintain adequate controls or systems to detect and prevent fraudulent activity. Fraudulent activity may result in litigation or government actions, for example, if individuals or regulators deem our fraud detection processes inadequate. Additionally, persistent or pervasive fraudulent activity may cause customers and real estate partners to lose trust in us and decrease or terminate their usage of our products, or could result in financial loss, thereby harming our business and results of operations. Our risk management efforts may not be effective. We could incur substantial losses and our business operations could be disrupted if we are unable to effectively identify, manage, monitor, and mitigate financial risks, such as pricing risk, interest rate risk, liquidity risk, and other market-related risks, as well as operational and legal risks related to our business, assets, and liabilities. We also are subject to various laws, regulations and rules that are not industry specific, including employment laws related to employee hiring and termination practices, health and safety laws, environmental laws and other federal, state and local laws, regulations and rules in the jurisdictions in which we operate. Our risk management policies, procedures, and techniques may not be sufficient to identify all of the risks to which we are exposed, mitigate the risks we have identified, or identify additional risks to which we may become subject in the future. Expansion of our business activities may also result in our being exposed to risks to which we have not previously been exposed or may increase our exposure to certain types of risks, and we may not effectively identify, manage, monitor, and mitigate these risks as our business activities change or increase. We are from time to time involved in, or may in the future be subject to, claims, suits, government investigations, and other proceedings that may result in adverse outcomes. We are from time to time involved in, or may in the future be subject to, claims, suits, government investigations, and proceedings arising from our business, including actions with respect to intellectual property, privacy, consumer protection, information security, our historic mortgage lending services, real estate, environmental, data protection or law enforcement matters, tax matters, labor and employment, and commercial claims, as well as actions involving content generated by our customers, shareholder derivative actions, purported class action lawsuits, and other matters. Such claims, suits, government investigations, and proceedings are inherently uncertain, and their results cannot be predicted with certainty. Regardless of the outcome, any such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, negative publicity and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties, or sanctions, as well as judgments, consent decrees, or orders preventing us from offering certain features, functionalities, products, or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results and financial condition. 39 TABLE OF CONTENTS OPENDOOR TECHNOLOGIES INC. Our business could be negatively impacted by corporate citizenship and ESG matters and/or our reporting of such matters. Institutional, individual, and other investors, proxy advisory services, regulatory authorities, consumers, and other stakeholders are increasingly focused on environmental, social, and governance (“ESG”) practices of companies. For example, various groups produce ESG scores or ratings based at least in part on a company’s ESG disclosures, and certain market participants, including institutional investors and capital providers, use such ratings to assess companies’ ESG profiles. Simultaneously, there are efforts by some stakeholders to reduce companies’ efforts on certain ESG-related matters. Both advocates and opponents to certain ESG matters are increasingly resorting to a range of activism forms, including media campaigns, shareholder proposals and litigation, to advance their perspectives. To the extent we are subject to such activism, it may require us to incur costs or otherwise adversely impact our business. There are also increasing and evolving regulatory expectations on ESG matters. For example, in March 2024, the SEC adopted extensive climate-related disclosure requirements that require U.S. public companies to dramatically expand the climate-related disclosures in their SEC filings, including the disclosure of scope 1, 2, and 3 emissions for some companies. These SEC climate rules were subsequently stayed. In September 2023, California passed climate-related disclosure mandates that are broader than the SEC’s proposed rules. Similar legislation has been proposed in the state of New York, and other states may propose their own climate or ESG-related regulations from time to time. Compliance with various and potentially fragmented disclosure rules may be costly and subject us to criticism by regulators, investors, the media or other stakeholders for the accuracy, adequacy or completeness of potential ESG disclosures and could adversely impact our reputation and financial position. As we look to respond to evolving standards for identifying, measuring, and reporting ESG information, our efforts may result in a significant increase in costs and may nevertheless not meet investor or other stakeholder expectations and evolving standards or regulatory requirements. For example, actions or statements that we may take based on expectations, assumptions, or third-party information that we currently believe to be reasonable may subsequently be determined to be erroneous or not in keeping with best practice. If we fail to, or are perceived to fail to, comply with or advance certain ESG initiatives (including the manner in which we complete such initiatives), we may be subject to various adverse impacts, including to our financial results, our reputation, our ability to attract or retain employees, our attractiveness as a service provider, investment, or business partner, or expose us to government enforcement actions, private litigation, and actions by stockholders or stakeholders. Additionally, many of our business partners and suppliers may be subject to similar expectations, which may augment or create additional risks, including risks that may not be known to us. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes multiple layers of security controls, including network segmentation, security monitoring, endpoint protection, and identity and access management, as well as a cybersecurity incident response plan. We assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). While we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business, this does not imply that we meet any particular technical standards, specifications, or requirements, and our maturity varies across our cybersecurity program. Our cybersecurity risk management program considers cybersecurity risks alongside other company risks as part of our overall cybersecurity risk assessment process, and shares common methodologies, reporting channels and governance processes that apply to other risks impacting the company, such as regulatory, financial and operational risks. Our cybersecurity risk management program includes: - risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment; - a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; 40 TABLE OF CONTENTS OPENDOOR TECHNOLOGIES INC. - the use of vulnerability scans and penetration testing; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; - cybersecurity awareness training of our employees, incident response personnel, and senior management, including annual incident training, regular phishing email simulations and tabletop exercises to simulate incident responses; - a robust cybersecurity incident response plan that includes documented procedures for preparing for, detecting, responding to and recovering from cybersecurity incidents, as well as processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident; and - a third-party risk management process for service providers, suppliers, and vendors . We have experienced a limited number of immaterial cybersecurity incidents in the past, regularly experience cybersecurity attempts, and expect that we will continue to experience varying degrees of cybersecurity attempts and incidents in the future. To date, we have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. However, there can be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with or effective in protecting our systems and information. See " Item 1A. Risk Factors " for additional discussion regarding the risks we face from cybersecurity threats. Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the “Committee”) oversight of cybersecurity and other information technology risks. The Committee oversees management’s implementation of our cybersecurity risk management program. The Committee receives updates at least annually from our Chief Technology and Product Officer and management on our cybersecurity risk management and strategy, including, as applicable, progress towards our risk-mitigation goals, results from third-party assessments, and the emerging threat landscape. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Committee reports to the full Board regarding its activities, including those related to cybersecurity and, will, from time to time, brief the full Board on our cybersecurity risk management program. From time to time, our Committee members receive presentations on cybersecurity topics from our internal or external experts as part of its continuing education on topics that impact public companies. Our Chief Technology and Product Officer, in coordination with our internal security staff, is responsible for assessing and managing our material risks from cybersecurity threats, and has primary responsibility for our overall cybersecurity risk management program and supervising both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Chief Technology and Product Officer, who possesses a 20-year track record in product development and engineering, eight years of which consist of overseeing technology, including the oversight of information security systems, reports directly to our Chief Executive Officer. This extensive experience spans both public and private companies. Our Chief Technology and Product Officer supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, and alerts and reports produced by security tools deployed in the IT environment, such as regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises.

Company Information