Klaviyo, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Klaviyo, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:08:02 EST.

Filings

10-K filed on 2024-02-29

Klaviyo, Inc. filed an 10-K at 2024-02-29 16:08:02 EST
Accession Number: 0001835830-24-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Governance Related to Cybersecurity Risks Our board of directors recognizes the importance of our risk management program related to cybersecurity. As provided in the charter of the audit committee of our board of directors ( Audit Committee ), our Audit Committee serves a key function in our board of directors oversight of these risks and processes. Our Chief Information Security Officer ( CISO ) provides updates on the cybersecurity risks we face and our processes to address those risks to our Audit 61 Table of Contents Committee on a periodic, but at least quarterly, basis. These updates may include, but are not limited to, reports of identified cybersecurity risks, status of our risk management processes, and updates regarding regulatory requirements and policies. Our Audit Committee comprises members of our board of directors with extensive experience in the technology sector who have held leadership positions at other publicly listed companies and have expertise in various aspects of our business. Cybersecurity matters are formally raised to the Chief Executive Officer, Chief Financial Officer, and Chief Legal Officer through their attendance of Audit Committee meetings. These individuals are also informed of significant events and updates through direct communication from our CISO as needed. We have a process for significant decisions over the Company s cybersecurity framework and identified incidents to be escalated to the board of directors for disclosure and oversight. Our CISO leads our cybersecurity initiatives and is primarily responsible for the assessing, managing, and monitoring of the Company s cybersecurity risks. Our CISO has over 20 years of experience in the technology sector, including as CISO of other publicly listed technology companies. His knowledge of cybersecurity, compliance, and risk assessment has been leveraged to develop our cybersecurity governance and risk strategy. Our CISO oversees the Security Operations and Trust team, as well as our cybersecurity related programs and matters, which are reported on regularly to the Audit Committee. Cybersecurity Risk Management and Strategy We have integrated cybersecurity risk management into our enterprise risk management framework in an effort to identify, assess, and manage risks from cybersecurity threats that could affect our business and information systems. We have implemented a cybersecurity program that is informed by recognized industry standards and frameworks, and incorporates elements of the same, including elements of the National Institute of Standards and Technology Cybersecurity Framework and International Organization for Standardization and the ISO 27001 standards. Our cybersecurity risk assessment program includes a number of components, including monitoring and reviewing relevant intelligence sources to identify potential cybersecurity risk and threats, penetration testing and vulnerability assessments, and audits and maturity assessments. These processes are conducted periodically by both internal and external resources. For example, independent third-party experts and assessors assist with our SOC 2 Type 2 examinations and penetration testing. Our internal audit function also periodically conducts an assessment of different systems to provide the Audit Committee with information on our cybersecurity risk management processes. We have implemented a process to address identified risks from cybersecurity threats in which the Security Operations and Trust team works in consultation with management and other key stakeholders, as appropriate, to determine the associated risks, potential impact, and the recommended course of action to address those risks. We have an incident response plan that is designed to set out escalation procedures for informing management and other key stakeholders. Our process calls for significant incidents and significant cyber risks to be raised to the Audit Committee followed by notification to our board of directors. We engage third-party service providers in the operation of our business. In an effort to mitigate risks from cybersecurity threats associated with our service providers, we perform security reviews of third-party service providers that are critical to our business or that could have an impact on our financial reporting. These security reviews may include, as appropriate, security questionnaires and vendor due diligence assessments. To monitor and manage third-party risk, we have a dedicated Security Operations and Trust team that reviews service providers independent attestation reports and third-party certifications. While we have been the target and victim of cyberattacks by third parties, as of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity incidents that may have materially affected or are reasonably likely to 62 Table of Contents materially affect the Company, including our business strategy, results of operations, or financial condition. See the section titled Risk Factors for further detail on identified risks, including those related to cybersecurity.

Company Information