Dave Inc./DE 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

Dave Inc./DE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 16:30:46 EST.

Filings

10-K filed on 2024-03-05

Dave Inc./DE filed an 10-K at 2024-03-05 16:30:46 EST
Accession Number: 0000950170-24-026024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents. The Company s cybersecurity program and policies articulate the expectations and requirements with respect to acceptable use, risk management, data privacy, education and awareness, security incident management and reporting, identity and access management, vendor due diligence, security (with respect to physical assets, products, networks, and systems), security monitoring and vulnerability identification. The cybersecurity program and policies are operated by a dedicated cybersecurity team in conjunction with the Company s enterprise risk management program. The Company s cyber risk management program is designed to identify, track, escalate, remediate, and report cybersecurity risks across the Company. These risk areas include internal, product, vendor, supply chain, and external services leveraged across the Company. The Company has a vendor management program that evaluates and oversees cybersecurity risks related to third party vendors providing services to the Company. Any identified risks are assessed, prioritized, and addressed via process, technology, and personnel improvements to help ensure ongoing mitigation and tracking. The Company s cybersecurity strategy is guided by risk priorities and identified areas for improvement, which are informed by regulatory requirements and industry standards, such as the Federal Trade Commission s Safeguards Rule and the National Institute for Standards and Technology (NIST) Cybersecurity Framework, and evolving business needs. This strategy is shared with the executive leadership at least annually. The Company maintains an incident response plan, coupled with a continuous monitoring program. This plan and program include incident 44 alerting, comprehensive incident criticality assessments, and escalation processes to support teams, senior leadership, and the Board. The Company s cybersecurity team manages all facets of the security monitoring and incident program, coordinating with Company engineers and other staff, along with third parties as needed, across our operating companies. All company employees are provided cybersecurity awareness training, which includes topics on the Company s policies and procedures for reporting potential incidents. The Company s cybersecurity team evaluates emerging risks, regulations, and compliance matters and updates the policies and procedures accordingly on an ongoing basis. To date, other than the 2020 Incidents, the Company has not experienced a cybersecurity threat or incident that has materially affected or that we believe is reasonably likely to materially affect the Company including its business strategy, results of operations or financial condition. Refer to the risk factor captioned Cyberattacks and other security breaches or disruptions suffered by us or third parties upon which we rely could have a materially adverse effect on our business, harm our reputation and expose us to public scrutiny and liability. in Part I, Item 1A. Risk Factors for additional description of cybersecurity risks and potential related impacts on the Company. Governance The Board oversees the Company s risk management process, including cybersecurity risks, directly and through its committees. Pursuant to the Audit Committee Charter, the Audit Committee of the Board provides compliance oversight to the Company s risk assessment and risk management policies, including for cybersecurity, and the steps management has taken to monitor and mitigate cybersecurity exposures and risks. The Company s Director of Security and Information Technology (DSIT), in coordination with the Company s Vice President of Technology, is responsible for leading the assessment and management of cybersecurity risks. The current DSIT has over 18 years of experience in information security. The DSIT reports to the Board and management on cybersecurity risk assessment, policies, incident prevention, detection, mitigation, and remediation of cybersecurity incidents on a quarterly basis or as needed.

Company Information