Bumble Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Bumble Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:16:08 EST.

Filings

10-K filed on 2024-02-28

Bumble Inc. filed an 10-K at 2024-02-28 16:16:08 EST
Accession Number: 0000950170-24-022104

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyb ersecurity As required by Item 106 of Regulation S-K, the following sets forth certain information regarding our cybersecurity strategy, risk management and governance. Risk management and strategy Our Information Security Management System ( ISMS ), the foundation of our security framework, is designed to protect critical assets (including our users personal information) and assess, identify, manage and mitigate material risks from cybersecurity threats. The ISMS is applicable to all individuals and third parties providing services to the Company and is informed by multiple industry-recognized standards and frameworks, including the International Organization for Standardization ( ISO ) standards for information security management systems, the U.S. National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, and the Payment Card Industry ( PCI ) Data Security Standard ( PCI-DSS ). It leverages the guidance of ISO 27001 in its design and operation, with policies intended to align to the requirements of ISO 27001 and follow the technical guidance of the appropriate NIST SP 800-53 Security and Privacy Controls standards where applicable. We review our security policies and procedures at least once annually, as well as in connection with significant enterprise-wide changes, such as technical or structural changes in our business or regulatory changes, and our policy content is continuously updated to account for a shifting threat landscape and to incorporate emerging best practices. We are a PCI-DSS Level 1 Merchant and are independently assessed against the PCI-DSS standard annually by an external PCI Qualified Security Assessor. Pursuant to the ISMS, we continuously monitor cybersecurity threats and strive to preemptively identify vulnerabilities. Our vulnerability management program operates on multiple layers of vulnerability discovery, such as third-party software component analysis, static and dynamic security testing, continuous infrastructure vulnerability scanning, cloud infrastructure scanning, independent third-party penetration testing, and a public bug bounty scheme. Our threat detection capabilities include automated 24/7 detection and alerting with automated response protocols designed to support rapid analysis and enrichment for security analysts who are guided by a formally documented Incident Response Plan in the event of a breach, as more fully described below. 44 The ISMS also provides for ongoing processes, tools and methods to bolster our cybersecurity defenses. We provide training to all of our employees, which includes annual information security awareness education, delivery of monthly cybersecurity updates, and simulated phishing exercises. We also host a live, third-party tabletop exercise annually for information security incident response for key individuals, including senior management and other senior leaders of the Company. Additional security features that we have in place that are intended to protect our systems and data from cyber-attacks include: physical and digital access controls, multifactor authentication for domain sign-on, corporate mobile device management, and tools to detect malicious emails and other suspicious activity. Finally, the ISMS incorporates an Incident Response Plan, which outlines the procedures that we use to investigate and respond to cybersecurity events and alerts, an Incident Response Policy, which sets out high-level principles and requirements that apply to cybersecurity incident response, and a Business Continuity Plan, which sets out high-level steps in protecting the services, assets and employees of the Company during an event that disrupts business continuity. The Incident Response Plan includes clearly defined roles and responsibilities, including guidance for reporting up the chain to senior management and, where appropriate, to the Audit Committee and the Board. It comprises four high-level phases: identification and investigation of a cybersecurity incident (including suspected personal data breaches); containment to lessen any ongoing harm; eradication of the root cause; and, post-recovery, supplementation of the cybersecurity incident record with lessons learned in order to improve our incident response capabilities. The Business Continuity Plan defines the procedures to be followed if there is a critical failure that results in operations at one of our corporate offices being suspended, as well as the procedures to be followed if there is a critical failure of our services or underlying hosting infrastructure that results in significant degradation of a service provided, with an aim to operate at existing service levels throughout the duration of the incident. When engaging third-party critical service providers, we conduct security assessments before engagement and require them to implement comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices. As part of such security assessment, we ask the third-party service provider to complete a privacy and security questionnaire, through which we can assess the service provider s security capabilities and maturity, and to provide us with evidence of penetration testing and reports. To date, we do not believe that any risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, as discussed more fully under Part I, Item 1A Risk Factors Risks Related to Information Technology Systems, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security incidents of these types, and we may not be able to implement effective preventive measures against such security incidents in a timely manner. Governance We have integrated the process of cybersecurity risk management, including oversight of the ISMS, into our broader risk management framework. The Board has broad oversight of risk management related to us and our business while delegating certain specific risk oversight responsibilities to its committees. The Board oversees our risk management activities through a combination of processes, including direct engagement with management. The Board has determined that the Audit and Risk Committee shall review our compliance with legal and regulatory requirements as well as the effectiveness of our risk management processes. As part of this oversight, the Audit and Risk Committee reviews the guidelines, policies, and practices that govern how senior management handles our exposure to cyber- and privacy-related risks. Our Chief Information Security Officer ( CISO ) provides quarterly updates to the Audit and Risk Committee, as well as an annual report to the Board, regarding a range of cybersecurity activities while maintaining the confidentiality, integrity, and availability of information, including user information under our custody. There are also scheduled monthly meetings where, among others, our CISO, Head of Privacy and a representative of the Sponsor attend, in order to discuss our cybersecurity program, including evaluating the implementation of additional controls, processes, policies, and procedures, as appropriate, as well as any notable security incidents, if any. Our CISO joined the Company in the role of Chief Information Security Officer almost four years ago, and has over 20 years of experience in the field of cybersecurity. He is supported by and leads our Information Security team, which includes the first responders to cybersecurity incidents.

Company Information