Coupang, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Coupang, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:02:28 EST.

Filings

10-K filed on 2024-02-28

Coupang, Inc. filed an 10-K at 2024-02-28 16:02:28 EST
Accession Number: 0001834584-24-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Coupang has a cyber risk management framework designed to assess, identify, and manage cyber related risks. Cyber related risks are identified through audits, assessments, and incidents. Our vulnerability scanning process uses both automated tools and penetration testing to identify vulnerabilities within our environment . We seek to identify, manage and reduce the risks and potential vulnerabilities by integrating controls and solutions into technology projects based on severity and priority. The Chief Information Security Officer ( CISO ), who has extensive cybersecurity knowledge and skills gained from over 15 years of work experience at the Company and elsewhere, leads our global information security organization responsible for overseeing the Coupang information security program. The CISO regularly reviews our cyber strategy with technology leadership in order to assess whether the cyber strategy is integrated across the organization. The CISO receives reports on cybersecurity threats from experienced information security officers in our security organization on an ongoing basis and in conjunction with management, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. We conduct annual assessments by certified external third-party assessors as part of our industry-recognized information security certifications, ISMS-P and ISO 27001. We also periodically have external third-party consultants conduct maturity assessments of our Information Security program. The results of these audits and assessments inform us about possible risks which are managed through our enterprise risk management process. We also employ external third-party vendors to provide cyber threat intelligence when relevant information is available or as requested. We also employ systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use. The executive leadership team provides oversight and guidance on cyber policies, procedures, and strategies. Our Board of Director s role in risk oversight is consistent with our leadership structure, with the executive leadership team having responsibility for assessing and managing risks we face in executing our business plans, and the Board and its committees providing oversight in connection with those efforts. In addition to the full Board, the Audit Committee of the Board plays an important role in the oversight of our enterprise risk assessment and management activities, which identify key risks to our business, including risks related to cybersecurity, data privacy, and regulations, and assesses any steps taken to monitor and control such risk. The Audit Committee regularly meets with the CISO to discuss various cybersecurity matters including cyber strategy, cybersecurity risks, controls, including results of audits, mitigation strategies, areas of emerging risks, incidents, if any, and industry trends. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported to the Audit Committee through ongoing updates until resolution. We seek to identify and manage risks from cyber threat intelligence and lessons learned from known cyber incidents with our cyber risk management process and include these within our cyber risk strategy through major technology enhancements and projects. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition. Cybersecurity risks continue to increase, and as set out in our risk factors our services may be affected by cybersecurity and data security incidents, including but not limited to spyware, viruses, phishing, and other spam emails, denial of service attacks, data theft, computer intrusions, outages, and similar events, which could be material to the Company. See Item 1A. Risk Factors in this Form 10-K for additional discussion on the risks of future cyber incidents to our results of operations and financial condition.

Company Information