NETFLIX INC 10-K Cybersecurity GRC - 2024-01-26

Page last updated on April 11, 2024

NETFLIX INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-01-26 16:01:56 EST.

Filings

10-K filed on 2024-01-26

NETFLIX INC filed an 10-K at 2024-01-26 16:01:56 EST
Accession Number: 0001065280-24-000030

Item 1C. Cybersecurity.

We have an enterprise-wide information security program designed to identify, protect, detect and respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools, and a bug bounty program to allow security researchers to assist us in identifying vulnerabilities in our products before they are exploited by malicious threat actors. We also maintain a third party security program to identify, prioritize, assess, mitigate and remediate third party risks; however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful.

We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely-adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, red team exercises, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We also engage an external auditor to conduct an annual payment card industry data security standard review of our security controls protecting payment information, as well as third-party penetration testing of our cardholder environment and related systems. The results of these assessments are reported to the Audit Committee.

Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our members) and other data, confidential information or intellectual property, and we have experienced an unauthorized release of certain digital content assets. However, to date these incidents have not had a material impact on our service, systems or business. Any significant disruption to our service or access to our systems could result in a loss of members and adversely affect our business and results of operation. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations. See “Risk Factors - Any significant disruption in or unauthorized access to our computer systems or those of third parties that we utilize in our operations, including those relating to cybersecurity or arising from cyber-attacks, could result in a loss or degradation of service, unauthorized access, disclosure or destruction of data, including member and corporate information, or theft of intellectual property, including digital content assets, which could adversely impact our business.”

The Vice President of Security and Privacy Engineering leads our global information security organization responsible for overseeing the Netflix information security program. Our VP of Security and Privacy Engineering has over 30 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Team members who support our information security program have relevant educational and industry experience, including holding similar positions at large technology companies. The teams provide regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings.

The Board oversees our annual enterprise risk assessment, where we assess key risks within the company, including security and technology risks and cybersecurity threats. The Audit Committee of the Board oversees our cybersecurity risk and receives regular reports from our VP of Security and Privacy Engineering on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance.

Item 1A. Risk Factors.

Any significant disruption in or unauthorized access to our computer systems or those of third parties that we utilize in our operations, including those relating to cybersecurity or arising from cyber-attacks, could result in a loss or degradation of service, unauthorized access, disclosure or destruction of data, including member and corporate information, or theft of intellectual property, including digital content assets, which could adversely impact our business.

Our reputation and ability to attract, retain and serve our members is dependent upon the reliable performance and security of our computer systems and those of third parties that we utilize in our operations. These systems may be subject to damage or interruption from, among other things, earthquakes, adverse weather conditions, other natural disasters, public health issues such as pandemics or epidemics, terrorist attacks, rogue employees, power loss, telecommunications failures, cybersecurity risks and incidents, and other interruptions beyond our control. Interruptions in these systems, or with the internet in general, could make our service unavailable or degraded or otherwise hinder our ability to deliver our service. Service interruptions, errors in our software or the unavailability of computer systems or data used in our operations could diminish the overall attractiveness of our service to existing and potential members.

Our computer systems and those of third parties we use in our operations are subject to constantly evolving cybersecurity threats, including cyber-attacks such as computer viruses, malware, ransomware, denial of service attacks, physical or electronic break-ins, or insider threats, as well as misconfigurations in information systems, networks, software or hardware, and similar disruptions or errors. These systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our members) and other data, confidential information or intellectual property. We and many of the third parties we work with rely on open source software and libraries that are integrated into a variety of applications, tools and systems, which may increase our exposure to vulnerabilities. Additionally, outside parties may attempt to induce employees, vendors, partners, or users to disclose sensitive or confidential information in order to gain access to data. Any attempt by hackers to obtain our data (including member and corporate information) or intellectual property (including digital content assets), disrupt our service, or otherwise access our systems, or those of third parties we use, if successful, could harm our business, be expensive to remedy and damage our reputation. We have implemented certain systems and processes to thwart hackers and protect our data and systems. However, the techniques used to gain unauthorized access to data and software are constantly evolving, and we may be unable to anticipate, detect or prevent unauthorized access or address all cybersecurity incidents that occur. Because of our prominence, we (and/or third parties we use) have been and may continue to be a particularly attractive target for such attacks, and from time to time, we have experienced an unauthorized release of certain digital content assets. However, to date these unauthorized releases have not had a material impact on our service, systems or business. There is no assurance that hackers may not have a material impact on our service or systems in the future. We do not carry insurance to cover expenses related to such disruptions or unauthorized access. Efforts to prevent hackers from disrupting our service or otherwise accessing our systems are expensive to develop, implement and maintain. These efforts require ongoing monitoring and updating as technologies change and efforts to overcome security measures become more sophisticated, and may limit the functionality of or otherwise negatively impact our service offering and systems. Any significant disruption to our service or access to our systems could result in a loss of members and adversely affect our business and results of operation. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations.

We utilize our own communications and computer hardware systems located either in our facilities or in that of a third-party provider. In addition, we utilize third-party “cloud” computing services in connection with our business operations. We also utilize our own and third-party content delivery networks to help us stream TV series, documentaries and feature films and offer games in high volume to Netflix members over the internet. Problems faced by us or our third-party “cloud” computing or other network providers, including technological or business-related disruptions, as well as cybersecurity threats and regulatory interference, could adversely impact the experience of our members.

Item 1A. Risk Factors.

Our reputation and relationships with members would be harmed if member personal information, particularly billing data, were to be accessed by unauthorized persons.

We maintain personal information regarding our members, including names, age, gender and billing information. This personal information is maintained on our own systems as well as that of third parties we use in our operations. With respect to billing information, such as credit card numbers, we rely on encryption and authentication technology to secure such information. We take measures to protect against unauthorized intrusion into our members’ information. Despite these measures and technologies we, our payment processing services or other third-party services we use such as AWS, could experience an unauthorized intrusion into our members’ information. In the event of such a breach, current and potential members may become unwilling to provide the information to us necessary for them to remain or become members. We also may be required to notify regulators about any actual or perceived data breach (including various state Attorneys General, one or more EU data protection authorities, or other data protection authorities) as well as the individuals who are affected by the incident within strict time periods. Additionally, we could face legal claims or regulatory fines or penalties for such a breach. The costs relating to any data breach could be material, and we currently do not carry insurance against the risk of a data breach. We also maintain personal information concerning our employees, as well as personal information of others working on our productions. Should an unauthorized intrusion into our members’ or employees’ personal information and/or production personal information occur, our business could be adversely affected and our larger reputation with respect to data protection could be negatively impacted.

Company Information