MERCADOLIBRE INC 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

MERCADOLIBRE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:01:42 EST.

Filings

10-K filed on 2024-02-23

MERCADOLIBRE INC filed an 10-K at 2024-02-23 16:01:42 EST
Accession Number: 0001099590-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats, including risks relating to disruption of technology infrastructure and business operations, intellectual property theft, fraud, harm to employees or customers, violation of privacy laws and confidentiality, other litigation and legal risks, and reputational risk, as part of our overall risk management principles and processes. 32 | MercadoLibre, Inc. Table of Contents Our risk management framework includes several security pillars, including data security, identity management, cloud security, infrastructure security, application security, incident response, and cybersecurity risk management. Our cybersecurity risk management processes incorporate frameworks aligned with recognized cybersecurity and cyber risk established frameworks. Our cybersecurity model is based on four criteria: (i) Zero Trust (e.g. a model based on continuous validation of users and devices), (ii) analysis of abnormal or unusual behavior, (iii) automatic response, and (iv) decentralization. Our cybersecurity risk strategy aligns risks, initiatives and controls, consisting of initiatives and projects designed to identify, evaluate, control and monitor cybersecurity risks and incidents. Our data security and privacy strategy focuses on discovery, minimization, detection, response, standardization and awareness. Our incident response strategy is based on best practices, focusing on proactive and automatic response, preparation and prevention, detection and analysis, containment, eradication, recovery and post-incident activity. We have also implemented a security risk management policy that provides guidance on how to identify, analyze, and optimize risk management and subsequent risk mitigation. We have processes in place to assess, identify, manage, and address cybersecurity threats and incidents. These include, among other things: mandatory trainings and drills on social engineering, phishing and ransomware attacks for all our employees; tabletop exercises for employees of the information security team; cybersecurity events in which management and/or certain employees participate and/or organize; ransomware prevention and phishing controls allowing for automatic and timely detection and response; and penetration testing, red team exercises and a bug bounty program to help us evaluate the effectiveness of our information security processes and improve our security measures and planning. We also conduct, with the assistance of an external auditor, annual Payment Card Industry Data Security Standard (PCI-DSS) reviews of our payment information security controls. We also have teams in place to oversee and manage our cybersecurity risk management processes, including: (i) an information security team, organized around our various services and products, responsible for day-to-day cybersecurity matters related to the respective services and products; (ii) a risk committee, comprised of members of management, that oversees the Company s financial and non-financial risks, including cybersecurity risks, and assists management in oversight; and (iii) internal local, corporate and strategic crisis management teams that form part of our crisis management framework. Our risk management framework further includes processes to manage cybersecurity risks associated with third parties, including, a third-party risk management program that focuses on identifying security and data privacy risks arising out of our interactions with critical third-party suppliers and payment methods, and a program focused on assessing risks arising in mergers and acquisitions transactions. In connection with our cybersecurity risk management processes, while we do not regularly engage assessors, consultants, auditors, or other third parties to assess, identify, and manage material risks from cybersecurity threats, we do involve such parties if there has been a cybersecurity incident that we believe requires an assessment by a third party. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. In the last fiscal three years, we have not experienced any material information security breach incidents and the expenses we have incurred from information security breach incidents were immaterial. See Risk Factors in Item 1A of this Annual Report on Form 10-K for more information on our cybersecurity-related risks. Governance Management The cybersecurity risk management processes described above are managed by our Cybersecurity VP under the supervision of the risk committee. The Audit Committee of the board of directors provides additional oversight as needed. Our risk committee is comprised of the Chief Financial Officer, Commerce Executive VP, Fintech President and the Heads of Corporate Affairs, Risk & Compliance, Data Privacy, Information Security, AML & Sanctions, Legal & Government Relations, Commerce Product Development, Fintech Product Development and IT Infrastructure. Its primary purpose is to assist management and the board directly and/or indirectly through the board s Audit Committee, overseeing the Company s financial and non-financial risks, including cybersecurity risks. Our Cybersecurity VP and some of our risk committee members are skilled in technology, security and/or risk and compliance. Our Cybersecurity VP is a certified information systems security professional (CISSP) and has considerable experience in the field of information security, fraud and prevention. As part of our cybersecurity risk management processes, our Cybersecurity VP presents security risk matters to the risk committee on an as-necessary basis, and to the Audit Committee annually and on an as-necessary basis. In the event of a critical incident that may impact the Company s operations, the Company s crisis management framework activates the strategic crisis management team for evaluation and response. The strategic crisis management team is comprised of the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Commerce Executive VP, Fintech President, Corporate Affairs Executive VP and Marketing Executive VP. The risk committee also meets quarterly and presents the status, evolution and main indicators of each security risk to management, although information security may not be deemed a risk in each particular quarter. Further, the Company s cybersecurity processes are formally evaluated by the Cybersecurity VP on an annual basis, which includes updating the Company s cybersecurity policy, security risk management policy and methodology, and classification of information. 33 | MercadoLibre, Inc. Table of Contents Board of directors The Audit Committee is primarily responsible for the oversight of cybersecurity risks and threats. To fulfill this responsibility, the Audit Committee, assisted, as appropriate, by the risk committee, oversees the risk management framework, including risk assessment and risk management policies and procedures established by management to identify, evaluate, measure and manage existing and potential cybersecurity risks faced by the Company. Annually and on an as-necessary basis, members of management and/or of the risk committee provide presentations to the Audit Committee regarding cybersecurity matters, including any material risks. These presentations include information regarding cybersecurity risks, the evolution of those risks and initiatives to optimize and improve the processes of cybersecurity. Further, in the event of a specific cybersecurity incident, these presentations include information about the relevant security incident, such as incident status, informed stakeholders and remediation plans.

Company Information