Life360, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Life360, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:07:10 EST.

Filings

10-K filed on 2024-02-29

Life360, Inc. filed an 10-K at 2024-02-29 16:07:10 EST
Accession Number: 0001581760-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We take a layered approach to cybersecurity leveraging multiple levels of controls designed to mitigate and minimize cybersecurity risks and protect the confidentiality, integrity, and availability of our critical systems and information. We have established and implemented policies and processes designed to assess, identify, and manage risks from cyber security threats, including product and SaaS security, and have integrated these into our operating model and enterprise risk management processes. We monitor for, and assess, material risks from cyber security threats such as unauthorized occurrences or events on or conducted through our information systems that may result in adverse effects to the confidentiality, integrity, or availability of our information systems or information, including personal information, proprietary information and intellectual property. Identification and Assessment To identify and assess risk, we maintain a cybersecurity risk register which is reviewed regularly and updated as appropriate. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damages that could result from such risks (to the extent known), and the potential sufficiency of existing mitigating policies, procedures, systems, and safeguards. Risk is scored based on the potential impact to the business (inherent risk) and re-scored based on mitigations in place (residual risk). Following this assessment, we determine opportunities for further mitigating identified risks. Risk Mitigation We implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats, including product and SaaS security. These measures vary depending on the environment and threat. For example, we monitor our information systems, networks, and devices for potential threats, utilizing multiple mechanisms. We maintain Network Security Operations (NSO) and Site Reliability Engineering (SRE) teams to respond to potential threats or anomalies. We update vendor-provided tools (e.g. data management systems, financial reporting systems and infrastructure systems) in an effort to address identified vulnerabilities or threat vectors arising through vendor-provided products and services. We have adopted policies and standards aimed at implementing product security, including: conducting third-party penetration testing of our SaaS solutions; developing code based on a Security Software Development Lifecycle (SSDLC) process; and using automated tools for static code analysis and open-source scanning. Changes to material systems are governed by our change management processes. Certain systems are scanned for static and dynamic vulnerabilities. Automatic and manual penetration tests of certain environments are performed frequently and often through third-party testing groups. We have processes in place designed to control access to material systems and such processes are reviewed and updated as appropriate. We utilize certain controls such as two-factor authentication, intelligent anomaly detection and centralized identity and access management tools, designed to mitigate the risk of inappropriate access to internal user accounts. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example dynamic vulnerability testing, third party library vulnerability scanning, end-point management, enterprise monitoring tool, Attack Surface Management, web application firewall (WAF)/distributed denial-of-service (DDoS)/constant delivery network (CDN)/domain name server (DNS) protection, and backups and recovery. We also utilize service providers to assist with cybersecurity risk assessments. Vendor Management In providing our products and services, we make extensive use of third-party vendors and applications. We onboard material vendors through a vendor review process, which includes a security assessment and a determination of what is required (for example, policies, procedures, technical controls, or physical controls) in an effort to securely configure any interaction with them. Vendors providing certain services may be subject to greater scrutiny, including reviews of any relevant certifications and/or independent testing of their products or systems. Certain vendors are reviewed annually in an effort to assess continued compliance with their obligations to us, and as relevant, the risk that they pose to our cybersecurity posture. Such reviews typically depend on the nature of the data and/or systems that these vendors may have access to or with which they otherwise interact. 54 Table of Contents Additional Information For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, Risk Factors, in this annual report on Form 10-K, including the risk factors entitled Risk Factors Risks Related to Privacy and Cybersecurity. Governance Responsibilities of the Board of Directors Our Board provides oversight of our risk management process, including risks from cybersecurity threats. Our Board is responsible for monitoring and assessing strategic risk exposure and the mitigation and remediation of cybersecurity incidents, and our executive officers (including our CEO, CFO, and COO) are responsible for the day-to-day management of the material risks we face, including cybersecurity risks. Our Board administers its cybersecurity risk oversight function as a whole, as well as through the Audit and Risk Committee ( ARC ). Our corporate security team informs the Board and ARC of certain cybersecurity risks and threats during quarterly meetings and provide materials shared in connection with such meetings, as well as ad hoc updates when there are material developments or changes that may impact cybersecurity risk to the company. Refer to Item 10. Directors, Executive Officers and Corporate Governance section of this Annual Report for additional information regarding the ARC and other committees of the Board as well as the ARC charter. Responsibilities of Management Our corporate security team consists of the Manager of Security Engineering, a Senior Security Engineer, a Senior SRE and a Security Engineering Contractor. The corporate security team is primarily responsible for assessing and managing material risks from cyber security threats, defining and overseeing our corporate security program, reviewing technical designs and vendors for security risks, and managing our security tools and infrastructure. Our corporate security team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology systems environment, including those described in Risk Management and Strategy. The corporate security team reports to the Senior Manager of Information Technology, who reports to the Senior Director of Engineering Operations which maintains responsibility for our cyber security program. The corporate security team has a combined professional experience of several decades in cybersecurity and related fields, including software and hardware engineering, information technology systems, devops, and security program management. They hold a range of certifications in security and technology, such as in LCSPC, ISO/IEC 27001:2013, OSCP, SANS SEC, CSSLP and AWS. Several team members participate in groups that focus on information security such as OWASP, Open Security Summit and other professional organizations and projects. Our Manager of Security Engineering provides frequent briefings to management regarding the Company s cyber security risks and risk-mitigation efforts, which may include recent incidents and related responses, newly identified risks, changes to the security program, and activities of third parties and vendors, as appropriate. Management provides cybersecurity updates to executive management and the Board through meetings and materials shared in connection with those meetings, as well as ad hoc updates when there are material developments or changes. Incident Response Procedures Our cybersecurity incident response procedures are designed to escalate certain cyber security incidents to our executive officers and the Board as appropriate. Upon initial discovery of a potential incident, a member of the corporate security team leads the initial potential incident response efforts. Potential incidents are scored based on impact (including potential impact), and if certain criteria are met, the technical response team is broadened to include a representative from the Company s legal team and other relevant stakeholders (such as executive management) as appropriate. Our incident response team or its designee, provides relevant updates to the Chief Executive Officer or other Company senior management and the Board, as appropriate. 55 Table of Contents

Company Information