Bumble Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Bumble Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 17:12:38 EST.

Filings

10-K filed on 2025-02-28

Bumble Inc. filed a 10-K at 2025-02-28 17:12:38 EST
Accession Number: 0000950170-25-030151

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyb ersecurity As required by Item 106 of Regulation S-K, the following sets forth certain information regarding our cybersecurity strategy, risk management and governance. Risk management and strategy Cybersecurity risk management is an important and rapidly evolving part of our overall risk management efforts. We believe we are a particularly attractive target as a result of the types and volume of personal data and content on our systems and the evolving nature of our products and services. Our products and services reach millions of users and involve the collection, storage, processing, and transmission of large amounts of data. In addition, our business and operations span numerous geographies around the world, involve hundreds of employees, contractors, vendors, developers, partners, and other third parties, and rely on software and hardware that is highly technical and complex. We maintain an information security program that is comprised of policies and controls designed to mitigate cybersecurity risk. However, at any given time, we face known and unknown cybersecurity risks and threats that are not fully mitigated, and we discover vulnerabilities in our program. We continuously work to enhance our information security program and risk management efforts. Our Information Security Management System (“ISMS”), the foundation of our security framework , is designed to protect critical assets (including our users’ personal information) and assess, identify, manage and mitigate material risks from cybersecurity threats. 45 The ISMS is applicable to all individuals and third parties providing services to the Company and is informed by multiple industry-recognized standards and frameworks, including the International Organization for Standardization (“ISO”) standards for information security management systems, the U.S. National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, and the Payment Card Industry (“PCI”) Data Security Standard (“PCI-DSS”). It leverages the guidance of ISO 27001 in its design and operation, with policies intended to align to the requirements of ISO 27001 and follow the technical guidance of the appropriate NIST SP 800-53 Security and Privacy Controls standards where applicable. We review our security policies and procedures at least once annually, as well as in connection with significant enterprise-wide changes, such as technical or structural changes in our business or regulatory changes, and our policy content is continuously updated to account for a shifting threat landscape and to incorporate emerging best practices. We are a PCI-DSS Level 1 Merchant and are independently assessed against the PCI-DSS standard annually by an external PCI Qualified Security Assessor. Pursuant to the ISMS, we continuously monitor cybersecurity threats and strive to preemptively identify vulnerabilities. Our vulnerability management program operates on multiple layers of vulnerability discovery, such as third-party software component analysis, static and dynamic security testing, continuous infrastructure vulnerability scanning, cloud infrastructure scanning, independent third-party penetration testing, and a public bug bounty scheme. Our threat detection capabilities include automated 24/7 detection and alerting with automated response protocols designed to support rapid analysis and enrichment for security analysts who are guided by a formally documented Incident Response Plan in the event of a breach, as more fully described below. The ISMS also provides for ongoing processes, tools and methods to bolster our cybersecurity defenses. We provide training to all of our employees, which includes annual information security awareness education, delivery of monthly cybersecurity updates, and simulated phishing exercises. We also host a live, third-party tabletop exercise annually for information security incident response for key individuals, including senior management and other senior leaders of the Company. Additional security features that we have in place that are intended to protect our systems and data from cyber-attacks include: physical and digital access controls, multifactor authentication for domain sign-on, corporate mobile device management, and tools to detect malicious emails and other suspicious activity. Finally, the ISMS incorporates an Incident Response Plan, which outlines the procedures that we use to investigate and respond to cybersecurity events and alerts, an Incident Response Policy, which sets out high-level principles and requirements that apply to cybersecurity incident response, and a Business Continuity Plan, which sets out high-level steps in protecting the services, assets and employees of the Company during an event that disrupts business continuity. The Incident Response Plan includes clearly defined roles and responsibilities, including guidance for reporting up the chain to senior management and, where appropriate, to the Audit Committee and the Board. We consult with outside counsel as appropriate, including on materiality analysis and disclosure matters, and our senior management makes the final materiality determinations and disclosure and other compliance decisions. The Incident Response Plan comprises four high-level phases: identification and investigation of a cybersecurity incident (including suspected personal data breaches); containment to lessen any ongoing harm; eradication of the root cause; and, post-recovery, supplementation of the cybersecurity incident record with lessons learned in order to improve our incident response capabilities. The Business Continuity Plan defines the procedures to be followed if there is a critical failure that results in operations at one of our corporate offices being suspended, as well as the procedures to be followed if there is a critical failure of our services or underlying hosting infrastructure that results in significant degradation of a service provided, with an aim to operate at existing service levels throughout the duration of the incident. When engaging third-party critical service providers, we conduct security assessments before engagement and require them to implement comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices. As part of such security assessment, we ask the third-party service provider to complete a privacy and security questionnaire, through which we can assess the service provider’s security capabilities and maturity, and to provide us with evidence of penetration testing and reports. While we do not belie ve that, as of the date of this Form 10-K, we have experienced a cybersecurity threat or incident, including as a result of any previous cybersecurity incident, that has materially adversely affected our business strategy, results of operations or financial condition, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security incidents of these types, and we may not be able to implement effective preventive measures against such security incidents in a timely m anner. For more information on risks to us from cybersecurity threats, see Part I, “Item 1A-Risk Factors-Risks Related to Information Technology Systems.” Governance We have integrated the process of cybersecurity risk management, including oversight of the ISMS, into our broader risk management framework. The Board has broad oversight of risk management related to us and our business while delegating certain specific risk oversight responsibilities to its committees. The Board oversees our risk management activities through a combination of processes, 46 including direct engagement with management. The Board has determined that the Audit and Risk Committee shall review our compliance with legal and regulatory requirements as well as the effectiveness of our risk management processes. As part of this oversight, the Audit and Risk Committee reviews the guidelines, policies, and practices that govern how senior management handles our exposure to cyber- and privacy-related risks. Our Chief Information Security & Trust Officer (“CISO”) leads our cybersecurity program across the Company and oversees the ISMS. He is supported by our Information Security team, which includes the first responders to cybersecurity incidents. O ur CISO provides quarterly updates to the Audit and Risk Committee, as well as an annual report to the Board , regarding the Company’s cybersecurity program, including cybersecurity risks, incidents, and mitigation strategies, while maintaining the confidentiality, integrity, and availability of information, including user information under our custody. There are also scheduled monthly meetings where, among others, our CISO, Head of Privacy and a representative of the Sponsor attend, in order to discuss our cybersecurity program, including evaluating the implementation of additional controls, processes, policies, and procedures, as appropriate, as well as any notable security incidents, if any. Our CISO joined the Company in April 2024, and has over 20 years of experience in the field of cybersecurity .

Company Information