ContextLogic Inc. 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

ContextLogic Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 16:30:24 EDT.

Filings

10-K filed on 2025-03-12

ContextLogic Inc. filed a 10-K at 2025-03-12 16:30:24 EDT
Accession Number: 0000950170-25-037990

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Our Company recognizes the importance of maintaining the safety and security of our critical systems, information, and broader information technology environment. We have developed a comprehensive cyber, data governance, and privacy program intended to (i) protect the confidentiality, integrity, and availability of our information systems and data, and (ii) assess, identify, and manage materials risks associated with cybersecurity threats In order to protect the Company data - and any other data we manage or handle - we have adopted a number of safeguards and security measures. For example, we have implemented software-as-a-service firewalls, endpoint protection, detection and response solutions, intrusion detection systems, access controls including multi-factor authentication, vulnerability scanning, software static analysis, dynamic analysis, third-party independent business continuity testing, independent third-party control audits. In addition, we have implemented several policies and programs to improve compliance and reduce risk, ensure appropriate responses in the event of an incident, and reduce the cost and scope of an incident should it occur, including: - a robust Incident Response Plan (“IRP”), - an Information Technology and Information Security Policy (“IT&IS Policy”), - a data governance program to oversee our Records Retention Policy, - a Data Governance Working Group comprised of legal, finance, human resources (“HR”), and third-party privacy and data governance consultants to review policies, programs, and data governance, and make reports and recommendations to management and the Board of Directors, - mandatory cyber and information security training for all employees, and - cybersecurity insurance designed to reduce the risk of loss resulting from cybersecurity incidents Our IRP, in conjunction with the IT&IS Policy, is designed to equip our employees and managers with the necessary tools to detect, respond to, and ultimately prevent cybersecurity incidents. It contains detailed processes and procedures to assist employees in managing cybersecurity incidents when they happen, including techniques for detecting/identifying suspicious activity in our data environment, response and escalation protocols to defend against intrusions and contain any potential data leakage, data preservation measures to ensure data integrity going forward, and remediation steps to diagnose root causes and secure gaps to prevent future attacks. The Incident Response Team (“IRT”) coordinates and aligns key resources and team members during a security incident to minimize impact, restore operations as quickly as possible, and assess and fulfill the Company’s legal and contractual obligations. The IRT is also responsible for centrally managing internal and external communications to ensure that disclosures are accurate and complete. The IRT is led by our Chief Compliance Officer, legal team, and Cybersecurity Response Leader, and is supported by a multi-tier team comprised of key stakeholders across the business including finance, HR, our dedicated IT provider, and other external response partners, including cybersecurity consultants, cybersecurity insurance providers, and outside legal counsel. The IRT and external response partners operate under the supervision of our executive management team with oversight from the Audit Committee of our Board of Directors. Finally, the IRP is also supported by a full curriculum of training for employees that is drafted and administered under the supervision of our Chief Compliance Officer. Importantly, these training sessions include several modules and quizzes for both technical and non-technical employees to assist our employees in comprehensively understanding the importance of data security to our stakeholders and our business and the various ways they can promote a security environment throughout our company. Risk Management and Strategy Incident Response Lifecycle - Assessing and Responding to Cyber Incidents Our IRP sets forth the Company’s process for assessing cyber threats. The IRP serves as the incident response plan to effectively manage, mitigate, and contain the risk of a security incident or data breach and it applies to all ContextLogic personnel, including employees, contractors, consultants, and any other individuals acting for or on behalf of the Company. The IRP incident response lifecycle is comprised of four phases: (1) Preparation, (2) Detection and Analysis, (3) Incident Response, Investigation, and Notification, and (4) Post-Incident Analysis and Lessons Learned. 16 The preparation phase of our IRP includes maintaining protective measures to minimize the likelihood and impact of a security incident, regularly reviewing and updating our policies and procedures to maintain alignment with industry standards and guidance, and periodic training of all Company personnel on information security, data privacy, and the procedures to reporting suspected incidents. The detection and analysis phase addresses the responsibility of Company personnel to notify our IRT Leader and IT provider upon noticing, suspecting, or being notified of any actual or suspected security incident which will prompt our IT provider to perform an initial investigation of the issue and determine whether the event is a security incident and whether the Cybersecurity Response Leader needs to be notified. The incident response, investigation, and notification phase of our IRP addresses the distinct but simultaneous workstreams that occur internally once an event has been determined to be a security incident. This includes technical response such as technical evidence collection and preservation, thread containment and eradication, and system and data restoration. Additionally, incident investigation efforts begin to determine the scope and severity of the security incident with legal and finance stakeholders. If appropriate, further measures are taken to comply with disclosure obligations as required by governance guidelines, committee charters, and applicable laws and contracts. The post-incident analysis phase includes evaluating the internal security policies, preparedness, posture, and technical environment, allowing the Company to conduct a holistic assessment and identify and remediate shortcomings and gaps. Evaluation As part of our IRP, we conduct regular testing to ensure that the IRP is functional and effective. Tests may include tabletop exercises, verbal walkthroughs with relevant stakeholders, or responses to actual security incidents. We also engage third-party services from time-to-time to conduct evaluations of our security controls, including the IRP, whether through business continuity testing, or consulting on best practices to address new challenges and risks. Board and Management Oversight The Company’s management is involved in overseeing our cyber, data governance, and privacy program as members of our Data Governance Working Group, and assessing security incidents with the IRT to the extent discussed in the IRP above. The Board and Audit Committee actively oversee our enterprise risk management, including cybersecurity risks, and are notified and updated on any security incidents on a regular basis. The Audit Committee is responsible for overseeing our cyber, data governance, and privacy program and receives regular updates from management and the IRT leader about the Company’s ongoing compliance and risk management and reports to the Board regularly. Cybersecurity Threat Disclosure To date, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us.

Company Information