ROKU, INC 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

ROKU, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 16:06:52 EST.

Filings

10-K filed on 2024-02-16

ROKU, INC filed an 10-K at 2024-02-16 16:06:52 EST
Accession Number: 0001428439-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our enterprise-wide approach to risk management is designed to support the achievement of our organizational and strategic objectives and improve long-term organizational performance. Cybersecurity is a critical component of our enterprise risk management approach, and cybersecurity risks are among the enterprise risks that are subject to oversight by our Board and the Audit Committee of our Board (the Audit Committee ). Our cybersecurity program is designed to assess, identify, and manage cybersecurity risks and threats. Key components of our cybersecurity program include: managing cybersecurity threats by deploying technical safeguards that are designed to protect our information systems from cybersecurity threats, which we evaluate and seek to improve, including through vulnerability assessments and cybersecurity threat intelligence; maintaining cybersecurity incident management procedures to address incident reporting, classification, escalation, response, and recovery, and facilitate efficient and consistent management of cybersecurity incidents involving our information systems; assessing and testing our cybersecurity policies and practices via internal efforts (such as assessments, vulnerability testing, threat modeling, tabletop exercises, and other exercises focused on evaluating the effectiveness of our cybersecurity measures) and by engaging third parties (including cybersecurity consulting firms) to perform assessments of our cybersecurity measures; a third-party cybersecurity risk management process, including, among other things, a security assessment and contracting process for vendor applications and implementing contractual security measures with third-party vendors; and cybersecurity awareness training for all employees and enhanced training for certain employees. Cybersecurity Governance As part of its broader risk oversight activities, the Board oversees risks from cybersecurity threats, primarily through delegation to the Audit Committee. As reflected in its charter, the Audit Committee assists the Board in reviewing our significant cybersecurity matters and concerns. The Audit Committee engages on cybersecurity matters with our management team, including our Vice President of Trust Engineering, who regularly provides presentations to the Audit Committee on our cybersecurity program and cybersecurity risks. These presentations address a range of topics including, for example, the threat landscape and cybersecurity events, vulnerability assessments, incident preparedness assessments, disaster recovery plans, and cybersecurity awareness training. Two additional members of our Board, who have cybersecurity experience but are not members of the Audit Committee, are invited to attend Audit Committee meetings when review of our cybersecurity program is on the agenda. In addition, the full Board receives regular updates on the activities of the Audit Committee, including with regard to cybersecurity oversight. Our Vice President of Trust Engineering is principally responsible for overseeing our cybersecurity risk management program, in partnership with other members of management. Our Vice President of Trust Engineering has served in various roles in cybersecurity and information technology for over 30 years, including as Vice President and Chief Security Architect of Intertrust Technologies Corporation and Java Security Architect at Sun Microsystems, Inc. In addition, our Executive Incident Management Team ( EIMT ) is a cross-functional management committee focused on providing executive guidance on the cybersecurity incident response process to facilitate an appropriate and timely response, make decisions related to cybersecurity incidents, and notify appropriate parties with relevant cross-functional expertise in the event of a cybersecurity incident. Our Trust Engineering team is responsible for the day-to-day identification, assessment, and management of information security risks and provides regular updates to our Vice President of Trust Engineering regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. Cybersecurity incidents are escalated to our Vice President of Trust Engineering, the EIMT, and the Chair of our Audit Committee in accordance with our cybersecurity incident management procedures, so that decisions can be made regarding incident reporting and disclosure in a timely manner. 49 Table of Contents Notwithstanding our cybersecurity risk management and governance, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information regarding the cybersecurity risks we face, see Item 1A, Risk Factors, elsewhere in this Annual Report, under the caption Significant disruptions of our information technology systems or data security incidents could harm our reputation, cause us to modify our business practices, and otherwise adversely affect our business and subject us to liability.

Company Information