ETSY INC 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

ETSY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 18:18:25 EST.

Filings

10-K filed on 2024-02-21

ETSY INC filed an 10-K at 2024-02-21 18:18:25 EST
Accession Number: 0001370637-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy Etsy recognizes the importance of information security, cyber readiness, and data privacy protections to our business and reputation, which includes assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks; intellectual property risks; harm to employees or members of our buyer and seller communities; violation of privacy or security laws; litigation or other legal risks; and reputational risks. We use processes, technologies, and controls to assist in our efforts to assess, identify, and manage material cybersecurity-related risks. We also employ a range of tools and services, including network monitoring, vulnerability assessments, and tabletop exercises to inform our risk identification and assessment processes. We maintain an incident response plan that outlines the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes designed to triage, assess the severity of, escalate, contain, investigate, and remediate the incident, as well as to comply with relevant legal obligations. Additionally, we conduct cybersecurity awareness and sensitive information protection training for our employees, and we periodically test the effectiveness of our training and policies through simulations, which may include simulated phishing emails and tabletop exercises. We also would use similar processes, technologies, and controls to manage cybersecurity risks associated with third-party suppliers, including those who have access to our systems or our employee and other confidential data. In addition, cybersecurity considerations affect the selection and oversight of our third-party suppliers. We perform diligence on critical third-party suppliers that have access to our systems, and data or facilities that house such systems or data, and we monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require third-parties that we have identified as parties that could introduce significant cybersecurity risk to agree by contract to manage their cybersecurity risks according to standards set by us and/or to agree to be subject to cybersecurity audits conducted by our agents, which we conduct as we deem appropriate. We engage third-parties to conduct information security testing, including penetration testing, on our systems including our credit card payments infrastructure. In addition, our information security program is subject to periodic self-assessments that measure the maturity of our program in a manner aligned with the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. To identify and assess material risks from cybersecurity threats, using our enterprise risk management framework, we consider cybersecurity risks as part of our overall risk assessment and risk management process. Our information security team serves as a first line of defense, including managing cyber risk strategy execution and owning the day-to-day management of these risks. Our enterprise risk management program serves as a second line of defense, bringing holistic risk oversight and serving as a partner to the business to help first line teams strategically manage risk. Our enterprise risk management function also establishes a risk and governance framework to help identify, prioritize and optimize risk-reward decisions. Certain risks identified by our enterprise risk management function, including cybersecurity risks, are monitored by our Risk Steering Committee, a senior management level committee that includes our Executive Team. The Risk Steering Committee s review of these risks in turn informs the risk management updates provided to the committee of our Board of Directors responsible for assisting the Board of Directors with its oversight of cybersecurity risks. Additionally, Internal Audit will from time to time review certain aspects of our cybersecurity program and the related Internal Controls, and our external auditor will test relevant controls around our cybersecurity program and incident reporting. Through these processes, we did not identify risks from current or past cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For more information about these risks, please see the Risk Factors in this Annual Report on Form 10-K. Cybersecurity Governance Our Board and our Board Committees are actively engaged in the oversight of our information security program. Before the establishment of our Risk Oversight Committee, our Audit Committee assisted our Board of Directors with its oversight of risks associated with Etsy s technology and information security policies and practices, the internal controls relating to information security, and the steps taken by management to identify, monitor, and control any risk exposures. In December 2023, our Board approved the formation of a Risk Oversight Committee to assist the Board with its oversight of Etsy s management of risk exposures, including oversight of technology and information security related risks (which responsibility will move from the Audit Committee to the Risk Oversight Committee), as well as oversight of management s processes for effectively monitoring and mitigating risk. 71 Table of Contents Our management has general responsibility for day-to-day implementation of our information technology, cybersecurity, and privacy strategies and policies, including deployment and use of security tools, applications, and annual employee training. Role or project specific employee training, as well as other training, may occur more frequently than annually, as needed. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Technology Officer ( CTO ), who is assisted by our Chief Information Security Officer ( CISO ). Our CISO, CTO, and our Risk Steering Committee are informed about and oversee the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. Our CTO holds a Bachelor’s degree from RV College of Engineering in Bengaluru, India and a Master of Public Administration from Columbia University. Our CTO has been recognized as one of the Top 50 Women in Tech by the National Diversity Council and has received the Digital Diversity Network’s Innovation and Inclusion CodeBreakers Award, Innovators & Disrupters Award from New York on Tech and Future CIO Award at Women in IT Awards. Our CISO has nearly twenty years of experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, and secure architecture and design, as well as several relevant degrees and certifications, including a Bachelors of Science in Computer Engineering from the University of Denver, and IAPP Certified Information Privacy Technologist ( CIPT ). Our CISO held previous certifications include ISC2 Certified Information Systems Security Professional ( CISSP ), EC-Council Certified Chief Information Security Officer ( C|CISO ), and ISACA Certified Data Privacy Solutions Engineer ( CDPSE ). Given the importance of information security to our stakeholders, our Board or the committee of our Board of Directors responsible for assisting the Board of Directors with its oversight of cybersecurity risk receives regular reports from our CISO on cybersecurity-related matters, including the status of projects to strengthen our security systems and to improve our cyber threat readiness, as well as on the existing and emerging cyber threat landscape and our program for managing these security risks. In addition, our CISO has direct access to the chair of the committee of our Board of Directors overseeing cyber-related risks and is expected to keep that committee apprised of any significant developments that may emerge between scheduled meetings that may require the attention of the Board or relevant committee. Our Board also periodically participates in tabletop exercises conducted by senior management, with the assistance of outside counsel as needed, as part of risk management and disaster-related planning to validate, test, and assess the effectiveness and adequacy of certain roles and decision-making processes in the event of a cyber-incident.

Company Information