LendingClub Corp 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

LendingClub Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 16:14:08 EST.

Filings

10-K filed on 2024-02-16

LendingClub Corp filed an 10-K at 2024-02-16 16:14:08 EST
Accession Number: 0001409970-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity represents a critical component of our overall approach to risk management. Accordingly, cybersecurity risks are subject to oversight by the Company s Board of Directors (the Board), primary responsibility for which has been delegated by the Board to its Operational Risk Committee (the Board Operational Risk Committee). Our cybersecurity policies, processes and practices are informed by the cybersecurity framework established by the National Institute of Standards and Technology. We are able to leverage a cross-functional team that includes senior personnel from our technology, operations, legal, risk management and internal audit functions as and when warranted by the particular cybersecurity matter. In managing cybersecurity risks, we strive to: (i) identify, prevent and mitigate cybersecurity threats; (ii) preserve the confidentiality, security and availability of proprietary or 47 LENDINGCLUB CORPORATION confidential information; (iii) protect the Company s intellectual property; (iv) maintain the confidence of our members, marketplace investors and business partners; and (v) provide appropriate and required disclosure of cybersecurity risks and incidents. Risk Management and Strategy Our processes for assessing, identifying, and managing material risks from cybersecurity threats are fully integrated into our enterprise risk management (ERM) program and include the following areas of focus: Systems Safeguards: Preventing and mitigating cybersecurity threats, including through the use of firewalls, intrusion prevention and detection systems, anti-malware software, access controls and other system safeguards. Incident Response: Identifying and responding to cybersecurity incidents in accordance with our information security incident response plan. Collaboration: Collaborating internally and with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks. Third-Party Risk Management: Maintaining a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems. Training: Reinforcing our information security policies, processes and practices through periodic mandatory training for Company personnel. Governance: Designing a comprehensive framework for the oversight of cybersecurity risk, with regular interaction between the Board Operational Risk Committee and the Company s ERM function, our Chief Information Security Officer (CISO) and members of Company management and relevant management committees, including the Company s Management Operational Risk Committee (the Management Operational Risk Committee). A key part of our strategy for managing risks from cybersecurity threats is the assessment and testing of our processes and practices through auditing, assessments, tabletop exercises, threat modeling, vulnerability scanning and other exercises focused on evaluating the effectiveness of our cybersecurity measures. We engage third parties to perform assessments on our cybersecurity measures, including information security penetration tests, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Board Operational Risk Committee and are used to adjust our cybersecurity policies, standards, processes and practices, as necessary. Governance The Board Operational Risk Committee oversees the management of risks from cybersecurity threats, including policies, processes and practices implemented by Company management to address such risks. The Board Operational Risk Committee receives presentations and reports on cybersecurity risks and information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates until such incident has been addressed. At least once each year, the Board Operational Risk Committee discusses the Company s approach to cybersecurity risk management with our CISO. Further, the Board periodically, as warranted, receives reports with respect to and engages in discussions with Company management on cybersecurity matters. Our CISO is principally responsible for overseeing our cybersecurity risk management program, in partnership with other senior personnel across the Company. Our CISO works in coordination with the other members of the Company s Management Operational Risk Committee, which includes our Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, Chief Risk Officer and General Counsel. Our CISO has served in that role for over 5 years and in various roles in information technology and information security for over 20 years. Our CISO 48 LENDINGCLUB CORPORATION holds an undergraduate degree in computer information systems and has attained the professional certification of Certified Information Systems Security Professional. The other members of the Management Operational Risk Committee each have relevant qualifications and over 10 years of experience managing risk in the technology and/or financial services industry. Our CISO, in coordination with the Management Operational Risk Committee, works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. To facilitate the success of this program, cross-functional teams are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with our information security incident response plan. Our CISO, through his team and use of accompanying technology, monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, and report such incidents to the Management Operational Risk Committee and/or the Board Operational Risk Committee, as and when appropriate. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced undetected cybersecurity incidents of a material nature. For additional information about the risks from cybersecurity threats, see Item 1A. Risk Factors in this Annual Report.

Company Information