DraftKings Inc. 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

DraftKings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 07:16:00 EST.

Filings

10-K filed on 2024-02-16

DraftKings Inc. filed an 10-K at 2024-02-16 07:16:00 EST
Accession Number: 0001883685-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company maintains a governance structure to address cybersecurity risk, which involves a dedicated Security Operations Team (the Security Operations Team ), an executive security steering committee (the Executive Security Steering Committee ), and the Compliance and Risk Committee of the Board and the Board. The Company s Security Operations Team, led by our Chief Information Security Officer, is responsible for identifying, assessing, mitigating, and reporting on material cybersecurity risks to the Company s Executive Security Steering Committee. The Company s Chief Information Security Officer holds high-level licenses and certifications relating to information security, including a Certified Information Security Manager from the Information Systems Audit and Control Association and a Certified Information Systems Security Professional and a Certified Cloud Security Professional from the International Information Security System Security Certification Consortium. The Company s Executive Security Steering Committee, chaired by the Company s Chief Information Security Officer and comprised of various cross-functional members of senior management, drives awareness and alignment across broad stakeholder groups for cybersecurity governance and risk management and reporting. The Executive Security Steering Committee receives quarterly reports from the Company s Chief Information Security Officer. The Compliance and Risk Committee receives regular reports from the Company s Chief Information Security Officer. The Compliance and Risk Committee periodically reports to the Board. The Company maintains an operational Incident Response Plan ( IRP ) that defines how the Company handles cyber incidents, including escalation, reporting and remediation procedures. The IRP is reviewed annually both internally and by third parties during regular audits. In addition, the Company retains a preferred partner with expertise in cyber risks and incidents to advise on cybersecurity related matters. The Company s preferred partner is also part of the Company s IRP procedures and provides independent analysis and advice during cybersecurity investigations. The Company also maintains a Security Awareness Program, which is designed, implemented, and maintained by the Company s Chief Information Security Officer. The Company s Security Awareness Program includes training that reinforces the Company s information technology risk and security management policies, standards and practices, as well as the expectation that employees comply with these policies. The Security Awareness Program engages personnel through training on how to identify potential cybersecurity risks and protect the Company s resources and information, as well as how to respond to unauthorized access to or use of Company information. The Security Awareness Program training is mandatory for all employees globally at least annually, and it is supplemented by Company-wide assessment initiatives, including periodic testing. The Company provides specialized security training for certain employee roles, such as application developers. The Company conducts periodic tests to assess the Company s processes and procedures and the threat landscape, which are designed with the goal of implementing and maintaining a robust cybersecurity program. Where appropriate, the Company takes additional and ongoing steps intended to strengthen the Company s cybersecurity capabilities and mitigate the risk of a breach or incident. The Company s security program and IT-related controls are regularly examined by internal auditors, external auditors and various regulators. For example, each year, the Company conducts various third-party audits, including SOC 2 Type2, PCI DSS, ISO 27001. The Company also engages third-party consultants for incident responses. These third-party consultants report directly to the Chief Information Security Officer and, depending on the nature of the incident, report directly to the Executive Security Steering Committee on various topics including, effects of the incident and recommendations on how to strengthen the Company s cybersecurity capabilities and mitigate the risk of a breach or incident. In addition to assessing the Company s cybersecurity preparedness, the Company also considers and evaluates cybersecurity risks associated with its use of third-party service providers. The Company maintains a vendor onboarding program, pursuant to which the Company regularly reviews third-party hosted applications and, when available, requests its vendors to provide SOC2 and/or ISO 27001 certificates. The Company s assessment of risks associated with use of third-party providers is part of the Company s overall cybersecurity risk management program. Although we have designed our cybersecurity program and governance procedures above to mitigate cybersecurity risks, we face unknown cybersecurity risks, threats and attacks. To date, these risks, threats or attacks have not had a material impact on our operations, business strategy or financial results, but we cannot provide assurance that they will not have a material impact in the future. See the section entitled Risk Factors included elsewhere in this Annual Report for further information. We continuously work to enhance our cybersecurity risk management program.

Company Information