ContextLogic Inc. 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

ContextLogic Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 20:10:54 EST.

Filings

10-K filed on 2024-03-04

ContextLogic Inc. filed an 10-K at 2024-03-04 20:10:54 EST
Accession Number: 0000950170-24-025210

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. As a data-driven company, we may be a potential target for cyberattacks and may be exposed to a number of cybersecurity risks in the normal course of operations. Our success as a business may depend upon our ability to address these risks, and to keep our platform and internal systems secure for the benefit of our merchants, users, business partners, employees, and other stakeholders. In order to protect our customers data - and any other data we manage or handle - we have adopted a number of safeguards and security measures. For example, we have implemented firewalls, endpoint protection, detection and response solutions, intrusion detection systems, access controls including multi-factor authentication, vulnerability scanning, software static analysis, dynamic analysis, third- party independent penetration testing, independent third- party control audits, a public bug bounty program. In addition, we have developed and maintained a robust Incident Response Plan ( IRP ), which is designed to equip our employees and managers with the necessary tools to detect, respond to, and ultimately prevent cybersecurity incidents affecting the platform. Our IRP contains detailed processes and procedures to assist employees in managing cybersecurity incidents when they happen, including techniques for detecting/identifying suspicious activity in our data environment, response and escalation protocols to defend against intrusions and contain any potential data leakage, data preservation measures to ensure data integrity going forward, and remediation steps to diagnose root causes and secure gaps to prevent future attacks. Our cybersecurity risk management program and our IRP is led by our Director of Security, who is supported by a multi-tier incident response team comprised of security, technical, and legal experts across our business who are responsible for coordinating and managing data security efforts, including incident response. This cross-functional team of specialists operates under the supervision of our executive management team with oversight from the Audit Committee of our Board of Directors and holds briefings to ensure the executive group is attuned to matters of data security impacting us. Our Director of Security has 14 years of experience working in the IT, infrastructure, and security domains. Before that, he worked for 6 years at Microsoft and 4 years at Garmin in similar roles. Finally, the IRP is also supported by a full curriculum of training for engineering and non-engineering employees that is drafted and administered under the supervision of our Director of Security. Importantly, these training sessions include several modules and quizzes for both technical and non-technical employees to assist our employees in comprehensively understanding the importance of data security to our stakeholders and our business and the various ways they can promote a security environment throughout our Company. Risk Management and Strategy Assessing and Responding to Cyber Threats and Cyber Incidents Our IRP sets forth the company s process for assessing cyber threats. The IRP serves as the incident response plan for Higher-Risk Security Incidents affecting Wish Information Systems and Wish Data, and it applies to all Wish personnel, including employees, contractors, consultants, and any other individuals acting for or on behalf of the Company of its subsidiaries or affiliated entities anywhere in the world. Lower-Risk Security Incidents are managed by the IT/Engineering Teams under their internal processes. The IRP assesses and responds to cyber threats by the following, to the extent applicable, (1) review from the initial assessment team, (2) escalation to a core incident response team, (3) involvement of the extended incident response team, (4) initial containment and preservation, (5) investigation, (6) breach notification, (7) remediation and resumption, and (8) post-mortem assessment. Evaluation As part of our IRP, we conduct regular testing to ensure that the IRP is functional and effective. Tests may include tabletop exercises, full simulations, verbal walkthroughs with relevant stakeholders, or responses to actual Security Incidents. We also engage third-party services to conduct evaluations of our security controls, including the IRP, whether through penetration testing, independent cybersecurity audits or consulting on best practices to address new challenges and risks. These evaluations include testing both the design and operational effectiveness of security controls. 53 Proactively Managing Privacy Risks We also take several measures to proactively manage privacy risks. As part of our commercial contract review process, we require every third-party vendor ( vendor ) engaged by the company to go through a separate privacy review. The privacy review includes, evaluating the personal data processed by the company and/or vendor, assessing the potential risks to such personal and applicable data subjects and identifying the specific measures that must be implemented to mitigate against such risks. One of these measures is to require vendors to agree to our standard Data Security and Privacy Addendum ( DPSA ), which was prepared with the assistance of outside consultants or revising the vendor s proposed Data Protection Agreement ( DPA ) to provide the same protections as our DSPA. Wish s DSPA contains privacy preserving language and security controls to protect the Company in the event of a Security Incident. Additionally, we ve also appointed a Data Protection Officer ( DPO ) who advises and monitors data protection functions at the Company. Our DPO has 15 years of experience working in cybersecurity, IT, governance, risk management, regulatory compliance, and data protection and privacy program design and implementation. Our DPO previously served as the DPO for several large companies, including ecommerce, life sciences, ESG, and legal services businesses. Our DPO is also a Certified Information Systems Security Professional. Board and Management Oversight The Company s management is involved in assessing Security Incidents to the extent discussed in the IRP above. The Board and Audit Committee are notified and updated on any Security Incidents on a regular basis. The Board actively oversees our enterprise risk management, including cybersecurity risks. Our cybersecurity policies and procedures are integrated into our overall risk assessment program. Additionally, the Audit Committee is responsible for overseeing our cybersecurity risk management and strategy and regularly meets with the CTO about the Company s ongoing compliance and risk management and reports to the Board regularly. Cybersecurity Threat Disclosure To date, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us. For further discussion of risks related to data protection, cybersecurity, and intellectual property, please see Item 1A, Risk Factors .

Company Information