Sezzle Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Sezzle Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:03:45 EST.

Filings

10-K filed on 2024-02-29

Sezzle Inc. filed an 10-K at 2024-02-29 16:03:45 EST
Accession Number: 0001662991-24-000052

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have integrated cybersecurity risk management into our overall risk management framework and include cybersecurity in our risk management processes and procedures and in our decision-making about and evaluation of such processes and procedures. As part of our cybersecurity risk management, we regularly assess risks from cybersecurity and technology vulnerabilities and monitor our information systems for potential threats. We use a widely-adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. In light of the industry in which we operate and our processing of sensitive information, we engage external auditors to annually assess our internal controls governing our services and data, to conduct a payment card industry data security standard review of our security controls protecting payment information, and to perform third-party penetration testing of our payment information and related systems. In addition, we engage third-party service providers to monitor our information storage and systems and to conduct evaluations of our security controls, including independent audits. The results of these independent audits are reported to our management who then report to the Audit and Risk Committee. Broad oversight of our overall risk assessment, where we assess key risks including security and technology risks and cybersecurity threats, is maintained by our full Board. Our Board delegates to the Audit and Risk Committee oversight of our programs, policies, and procedures related to cybersecurity, information asset security, network security, and data privacy and protection. The Audit and Risk Committee reports on such matters to the full Board as needed. The Audit and Risk Committee also receives regular reports about our cybersecurity program from the Response Team described below. We have implemented incident response and breach management processes which have overarching and interconnected stages, including (i) preparation for a cybersecurity incident, (ii) detection and analysis of an incident, (iii) containment, eradication, and recovery, and (iv) post-incident analysis. An internal committee of senior management (the Response Team ) is responsible for overseeing our incident response and breach management processes. The Response Team is tasked with reporting to the Audit and Risk Committee incidents and other cybersecurity matters deemed important or to have a business impact, even if immaterial to the Company as a whole. The Response Team, as necessary and appropriate, is briefed by our information security and engineering teams with respect to risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. Cybersecurity Governance Our cybersecurity risk management and strategy processes are overseen by the Response Team, including our Chief Operating Officer ( COO ). The individuals on the Response Team and our COO have prior work experience in various roles involving information technology, including security, auditing, compliance, systems and programming. These individuals are informed by our information security and engineering teams about, and monitor, the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response and breach management processes. The Response Team and COO report to the Audit and Risk Committee on any appropriate items. The Board retains broad oversight of all risk management of the Company. Third Party Risk Management Because we are aware of the risks associated with third-party service providers, we have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such third-party service providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of any heightened risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and certifications by third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and we investigate security incidents that impact our third-party providers, as appropriate. 42 Table of Contents Risks from Cybersecurity Threats As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, we cannot provide assurance that we will not experience any such event in the future. For more information about the cybersecurity risks we face in connection with our business, see the risk factor entitled Data security breaches, cyberattacks, employee or other internal misconduct, malware, phishing or ransomware, physical security breaches, or other disruptions to our technology systems or a compromise of our data security could occur and would materially adversely impact our business and ability to protect the confidential information in our possession or control in Item 1A of this Form 10-K, Risk Factors.

Company Information