1stdibs.com, Inc. 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

1stdibs.com, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 07:06:41 EST.

Filings

10-K filed on 2025-03-03

1stdibs.com, Inc. filed a 10-K at 2025-03-03 07:06:41 EST
Accession Number: 0001600641-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as our business depends on both buyers and sellers trusting that their shopping experience with us is both reliable and safe. We have integrated cybersecurity risk management into our broader risk management framework in many ways, including (i) our regular updates to the Audit Committee, (ii) our information technology and security related internal controls and (iii) our global incident response and vulnerability management programs. We view cybersecurity as a shared responsibility across the Company. All employees are required to complete yearly security training, and we periodically perform tabletop exercises with management participation. Further, our cross-functional teams work together to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We use various security tools and processes to help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner, including, but not limited to, internal reporting, monitoring and detection tools and a vulnerability identification program. Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity consultants in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, with a goal of ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third parties includes regular audits, threat assessments, and consultation on security enhancements. In order to mitigate data or security incidents that may originate from third party vendors or suppliers, we conduct both privacy and security assessments to properly identify, prioritize, assess and remediate any third party risks , and require security and privacy addenda to our contracts where applicable. The nature of our business exposes us to cybersecurity threats and attacks that can lead to the unauthorized acquisition or access, compromise, loss, misuse or theft of our data, including personal information, confidential information or intellectual property. As of the date of this Annual Report on Form 10-K, we are not aware of any material incidents or risks from cybersecurity threats that have materially affected us, including our business strategy, results of operations, or financial condition. For a discussion of how material risks from cybersecurity threats could materially affect us, see “Risk Factors-Risks Related to Privacy, Cybersecurity, and Infrastructure-If sensitive information about our sellers and buyers or other third parties with whom we transact business is disclosed, or if we or our third-party providers are subject to cyber-attacks, use of our online marketplace could be curtailed, we may be exposed to liability, and our reputation would suffer.” Governance Our Board of Directors is ultimately responsible for the Company’s risk oversight, including cybersecurity and privacy risks. Our Board of Directors has delegated responsibility for oversight of cybersecurity risks to the Audit Committee. The Audit Committee comprises board members with diverse expertise, including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. Our Audit Committee is charged with reviewing and discussing our policies with respect to risk assessment and risk management, which includes overseeing our major financial, privacy, security, cybersecurity, and technology risk exposures and the steps our management has taken to monitor and control these exposures. A t the management level, our Head of Engineering and the system operations team are primarily responsible for identifying, assessing, monitoring, and managing cybersecurity. Our team also regularly partners with a firm with cybersecurity specialists, implementing best practices and building a cybersecurity framework around identifying, protecting, detecting, responding, and recovering from cybersecurity threats. The Audit Committee receives reports from senior management, including our periodic committee meetings, which include, on a rotating basis, in-depth presentations on specific areas of risk and regular enterprise risk management updates. In addition to our scheduled meetings, our Global Incident Response Plan ensures that significant developments or incidents, even if immaterial to us, are reviewed regularly by a cross-functional team to determine whether further escalation to the Audit Committee is appropriate, ensuring the committee’s and the Board of Directors’ oversight is timely and responsive. Our Global Incident Response Plan also includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. 40

Company Information