Forge Global Holdings, Inc. 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

Forge Global Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 16:29:12 EST.

Filings

10-K filed on 2025-03-06

Forge Global Holdings, Inc. filed a 10-K at 2025-03-06 16:29:12 EST
Accession Number: 0001628280-25-010942

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management framework, systems, and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We implement, refine, and maintain reasonable safeguards designed to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We use frameworks established by the National Institute of Standards and Technology and other applicable industry standards to further define, benchmark, and refine our cybersecurity practices. We conduct a regular cybersecurity risk assessment process through our Head of Information Security (“CISO”) and dedicated information security team. These risk assessments include the effectiveness of our cybersecurity program and its practices for identifying, assessing, and mitigating cybersecurity risks; our controls to prevent, detect, and respond to cyber incidents; our cyber resiliency, including crisis preparedness, incident response processes, business continuity, and disaster recovery capabilities; and our investments in cybersecurity infrastructure and program needs. As part of our overall risk management system, our dedicated information security team monitors and tests our cybersecurity policies and procedures through methods such as periodic reviews, targeted assessments, and tabletop exercises. All personnel are made aware of our cybersecurity policies and procedures upon hire and through periodic refresher trainings. Such policies and procedures cover areas such as identity and access management, vendor management, data governance and protection, vulnerability management, incident response, and operational risk management. Our cybersecurity policies and procedures are also incorporated into our broader risk management framework such that all enterprise and operational risks are evaluated in a holistic manner. We engage consultants and other third parties in connection with our risk assessment processes. These service providers assist us with designing, implementing, and testing our cybersecurity policies and procedures, as well as advising on applicable disclosure requirements. We used a risk-based approach to require certain third-party service providers to certify that they have the ability to implement and maintain appropriate security measures consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect us. To date, we have not experienced any cybersecurity incidents which have materially impacted or are likely to materially impact our business strategy, results of operations, or financial condition based on information known to us as of the date of this Report. As discussed more fully under the section titled “Risk Factors,” in this Report, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient despite our best efforts. Governance Our management is responsible for the day-to-day oversight and management of our enterprise risks, including risks from cybersecurity threats. As described in “Risk Management and Strategy” above, primary responsibility for assessing, monitoring, and managing our cybersecurity risks rests with our CISO and dedicated information security team, who develop, prioritize, and execute our cybersecurity strategy in partnership with relevant departments and business units. Our CISO, who has over 20 years of cybersecurity and information security experience, oversees our cybersecurity framework, reports to our management-level risk committee, and chairs our cybersecurity risk subcommittee. Our CISO is assisted in this oversight role by additional members of management, including our Chief Technology Officer, Chief Risk Officer, and Head of Legal, each of whom bring decades of leadership experience managing risks in their respective fields. Our board of directors, as a whole and as assisted by our risk committee, has responsibility for the oversight of our cybersecurity risk management framework. Consistent with this approach, our board of directors maintains oversight in the context of discussions with management, question and answer sessions, and reports from the management team, each on at least a quarterly basis and ad hoc as needed. Such reports include updates on any cybersecurity incidents and mitigation efforts until they have been resolved. Our board of directors and our audit committee also receives regular and ad hoc reports from our risk committee on all enterprise risks, including risks from cybersecurity threats. Our audit committee provides additional oversight on our cybersecurity risk management framework, with an emphasis on public reporting obligations and the effects cybersecurity risks could have on our financial condition generally.

Company Information