Meta Platforms, Inc. 10-K Cybersecurity GRC - 2024-02-01

Page last updated on April 11, 2024

Meta Platforms, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-01 19:39:02 EST.

Filings

10-K filed on 2024-02-01

Meta Platforms, Inc. filed an 10-K at 2024-02-01 19:39:02 EST
Accession Number: 0001326801-24-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity At Meta, cybersecurity risk management is an important part of our overall risk management efforts. Our industry is prone to cybersecurity threats and attacks, and we regularly experience cybersecurity incidents of varying degrees. We believe we are a particularly attractive target as a result of our prominence and scale, the types and volume of personal data and content on our systems, and the evolving nature of our products and services. Our products and services reach billions of users and involve the collection, storage, processing, and transmission of a large amount of data. In addition, our business and operations span numerous geographies around the world, involve thousands of employees, contractors, vendors, developers, partners, and other third parties, and rely on software and hardware that is highly technical and complex. We maintain an information security program that is comprised of policies and controls designed to mitigate cybersecurity risk. However, at any given time, we face known and unknown cybersecurity risks and threats that are not fully mitigated, and we discover vulnerabilities in our program. We continuously work to enhance our information security program and risk management efforts. We use a risk management framework based on applicable laws and regulations, and informed by industry standards and industry-recognized practices, for managing cybersecurity risks within our products and services, infrastructure, and corporate resources. To identify and assess risks from cybersecurity threats, we evaluate a variety of developments including threat intelligence, first- and third-party vulnerabilities, evolving regulatory requirements, and observed cybersecurity incidents, among others. We regularly conduct risk assessments to evaluate the maturity and effectiveness of our systems and processes in addressing cybersecurity threats and to identify any areas for remediation and opportunities for enhancements. We also engage third-party security experts and consultants to assist with assessment and enhancement of our cybersecurity risk management processes, as well as benchmarking against industry practices. In addition, we maintain a privacy risk management program to assess privacy risks related to how we are collecting, using, sharing, and storing user data, which is subject to assessment by an independent, third-party privacy assessor. Our internal audit function provides independent assessment and assurance on the overall operations of our cybersecurity and privacy programs and the supporting control frameworks. These processes support informed risk-based decision-making and prioritization of cybersecurity countermeasures and risk mitigation strategies. Our risk mitigation strategies include a broad variety of technical and operational measures, as well as annual cybersecurity and privacy training for all of our employees. In addition, we maintain specific policies and practices governing our third-party security risks, including our third-party assessment (TPA) process. Under our TPA process, we gather information from certain third parties who contract with Meta and share or receive data, or have access to or integrate with our systems, in order to help us assess potential risks associated with their security controls. We also generally require third parties to, among other things, maintain security controls to protect our confidential information and data, and notify us of material data breaches that may impact our data. Our board of directors has oversight of our strategic and business risk management and has delegated cybersecurity risk management oversight to the audit & risk oversight committee of our board of directors (Audit & Risk Oversight Committee). Our Audit & Risk Oversight Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which the company is exposed and to implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. The privacy committee of our board of directors (Privacy Committee) oversees risks related to privacy and data use, including overseeing compliance with our comprehensive privacy program. Management is responsible for identifying, assessing, and managing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures, maintaining cybersecurity policies and procedures, and providing regular reports to our board of directors, including through the Audit & Risk Oversight Committee and Privacy Committee. Our Chief Information Security Officer (CISO) Guy Rosen leads our cybersecurity program and oversees teams across the company supporting our security functions of identify, prevent, detect, respond, and recover. These teams are comprised of personnel with a broad range of experience across the private and public sectors, the technology industry, and different geographic regions. Mr. Rosen has two decades of experience in various cybersecurity, software development, product management, and other technology-related roles. Mr. Rosen has served in a number of significant leadership roles at our company since 2013, including oversight of security, safety, and integrity initiatives, and was appointed as our CISO in 2022. 51 Table of Contents Prior to joining our company, Mr. Rosen served in senior leadership, engineering, and operational roles across technology organizations. Our cybersecurity teams monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of technical and operational measures, and regularly report to our CISO. Our CISO is part of the senior management team at the company and regularly updates the Audit & Risk Oversight Committee on the company s cybersecurity program, including cybersecurity risks, incidents, and mitigation strategies. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.

Company Information