NERDWALLET, INC. 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

NERDWALLET, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:23:17 EST.

Filings

10-K filed on 2024-02-20

NERDWALLET, INC. filed an 10-K at 2024-02-20 16:23:17 EST
Accession Number: 0001625278-24-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy NerdWallet, Inc. recognizes the importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data and that of our users. Risk Management We have adopted the National Institute of Standards and Technology - Cybersecurity Framework (NIST-CSF) to guide our risk assessment and management and promote a company-wide cybersecurity risk management culture. Our cybersecurity team works closely with our information technology (IT) department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Engagement of Third Parties We enlist third-party cybersecurity assessors and consultants to evaluate and test both our risk management systems and the third-party risk management systems of our business partners. Through these collaborations, we tap into specialized knowledge and insights, helping us gauge the effectiveness of our cybersecurity strategies and processes. The findings from these assessments guide our decision-making and planning processes, influencing how we set priorities and allocate resources. Overseeing Third-party Risk Before partnering with third-party providers, we conduct a thorough examination of their cybersecurity program, policies, and practices. This includes a review of their SOC 2 reports and any available penetration tests. Additionally, we actively monitor our primary service providers and regularly obtain security control reports from them. We also employ real-time monitoring to detect any suspicious activity promptly. This approach is implemented to minimize risks associated with data breaches or other security incidents that may arise from third-party sources. Risks from Cybersecurity Threats To date, no cybersecurity incident or any risk from cybersecurity threats has materially affected, or has been determined to be reasonably likely to materially affect, us or our operations or financial condition. Governance The Board of Directors recognizes the critical importance of managing cybersecurity risks and has implemented robust oversight mechanisms designed to ensure effective governance in this area. Audit Committee Oversight The Audit Committee, comprising Board members with diverse experience in risk management, IT, cybersecurity, and finance, is directly responsible for overseeing cybersecurity risks. Our Chief Information Security Officer (CISO) provides comprehensive quarterly presentations to the Audit Committee, covering ongoing cybersecurity initiatives, strategies, and emerging threats. The Committee reports significant matters to the full board, and the CISO also delivers an annual presentation to the Board of Directors. Management s Vigilance A Security Council, led by the CISO with representatives from our engineering, corporate IT, security, legal, and internal audit teams, diligently reviews and assesses cybersecurity plans, risks, and incidents on a monthly basis. Any substantial risk incident is escalated to the executive team, disclosure committee, and potentially the full Board, if deemed material. Regular communication between the CISO and the Chief Legal Officer, Chief Financial Officer, and Chief Executive Officer ensures top management is well-informed about NerdWallet’s cybersecurity posture and potential risks. 39 Table of Contents Risk Management Leadership The primary responsibility for assessing, monitoring, and managing our cybersecurity risks lies with our highly experienced CISO. With two decades of cybersecurity expertise, including multiple CISO roles, our CISO plays a pivotal role in developing and executing our cybersecurity strategies. His responsibilities include overseeing governance programs, addressing known risks, leading employee security training, and executing the incident response plan in case of a cybersecurity incident.

Company Information