Toast, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Toast, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:04:51 EST.

Filings

10-K filed on 2024-02-27

Toast, Inc. filed an 10-K at 2024-02-27 16:04:51 EST
Accession Number: 0001650164-24-000084

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the importance of managing cyber risks that we face and have established processes as part of our enterprise risk management, or ERM, program to identify, assess, and manage risks associated with cybersecurity. Our Board retains oversight of our cybersecurity risk management. Our cybersecurity program is informed by industry standards. In general, we seek to address cybersecurity risks through a cross-functional approach that is designed to preserve the confidentiality, security and availability of the information that we collect and store. 66 Table of Contents Governance Related to Cybersecurity Risks Our Board holds oversight responsibility over our strategy and risk management, including risks related to cybersecurity threats. Under the oversight of the Audit Committee, we have implemented an ERM framework that includes processes for identifying, assessing, and responding to cyber risk exposures. The enterprise risk management process is led by our chief compliance officer, where team members are responsible for working with cross-functional counterparts at the Company to assess risks across designated verticals, including cybersecurity. The chief compliance officer reports on the ERM process to the Audit Committee of our Board regularly. In addition, we have established a working council, or our Enterprise Risk and Compliance Committee, that meets regularly to review and report on the ERM framework to senior leadership. Our Chief Information Security Officer, or CISO, who has decades of experience in similar roles in the technology industry, leads and oversees our information security program, including our cybersecurity policies and information security team. This team is responsible for implementing processes designed to identify and protect company assets through prevention and detection controls. Through our cybersecurity program, we have developed response and recovery processes and procedures designed to address potential adverse impacts to the company should a cyber event or incident occur. We have implemented a process for employees to complete security and awareness training annually. Management reports cybersecurity risks to the Enterprise Risk and Compliance Committee in accordance with the risk management program and to our Board s Audit Committee in an effort to keep members of the Audit Committee apprised of the rapidly evolving cyber threat landscape and to enable the assessment of the effectiveness of our overall cybersecurity and compliance programs. Cyber Risk Management and Strategy Processes to identify, assess, and manage risks presented by cybersecurity threats are integrated into our overall ERM program and are informed by industry cybersecurity standards. Our CISO, with support from the information security team, leads a risk assessment process to regularly evaluate cybersecurity risks. This process is also supported by periodic security testing and monitoring. Our CISO reviews and contributes to the cybersecurity risk reporting that is provided to the Audit Committee of our Board on a quarterly basis. The quarterly updates include cybersecurity risk assessment results, which include risks associated with the use of third-party service providers, and cover efforts to mitigate previously identified risks. Our CISO also oversees the incident response team and is responsible for updating our Board on any cybersecurity incidents, including the mitigation and remediation of these incidents, should they occur. As discussed within Item 1A, Risk Factors , we rely on service providers to process sensitive business information. As part of our risk management program, we have implemented a process to conduct a security review of third-party service providers, including through vendor questionnaires and contractual-related security requirements, as appropriate. In addition, we engage third-party experts, including external legal counsel and cybersecurity advisors, to assist in our identification and management of cybersecurity risks as needed. We have established an incident response process to assess, respond, and report in the event that a cybersecurity incident is detected. Management has assembled a committee to assess the materiality of the impact of identified cybersecurity incidents on our business and determine any disclosure obligations arising from such incidents. Cybersecurity is incorporated into our business strategy as cybersecurity risks may have a negative impact on our business as outlined within Item 1A, Risk Factors. Although risks from cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats to and security incidents of our and our third-party vendors data and systems. For more information, please see Item 1A, Risk Factors. 67 Table of Contents

Company Information