MONEYLION INC. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

MONEYLION INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 09:25:04 EST.

Filings

10-K filed on 2024-03-07

MONEYLION INC. filed an 10-K at 2024-03-07 09:25:04 EST
Accession Number: 0000950170-24-027617

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity At MoneyLion, cybersecurity risk management is an integral part of our overall risk assessment management program. Our cybersecurity risk management program is designed to align with industry best practices, including the National Institute of Standards and Technology Framework and the International Organization Standardization 27001 Information Security Management System Requirements, and provide a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of applications developed and services provided by third-party service providers, and identify and mitigate potential threats and vulnerabilities utilizing our enhanced governance, risk and compliance solution, which incorporates system integration for continuous assessment. This framework includes steps for regularly assessing our threat landscape, taking a holistic view of cybersecurity risks to our enterprise, assessing the severity of any cybersecurity threat, identifying the source of a cybersecurity threat including whether the cybersecurity threat is associated with a third-party service provider, implementing cybersecurity countermeasures and mitigation strategies and informing management and our Risk & Compliance Committee of material cybersecurity threats and incidents. Our Board of Directors has overall oversight responsibility for our risk management, and delegates cybersecurity risk management oversight to Risk & Compliance Committee of the Board of Directors. The Risk & Compliance Committee, in conjunction with management, routinely reviews the company s major financial risks and enterprise-level exposures, including cybersecurity risk, and our related policies and procedures to ensure that we have processes in place to identify and manage cybersecurity risks. The Risk & Compliance Committee, in conjunction with our Chief Legal Officer and Chief Information Security Officer, or CISO, also reviews our data security programs, our plans to mitigate cybersecurity risk and respond to data security breaches and monitoring of compliance with data security compliance programs and test preparedness. The Risk & Compliance Committee periodically reports to our full Board of Directors on, among other things, our key enterprise risk exposures and our data security program, including cybersecurity, and also reports to the Audit Committee, as it deems appropriate or as instructed by the Board of Directors, regarding cybersecurity matters that may have a material effect on our financial statements. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our Information Security and Cybersecurity teams are responsible for managing and assessing our cybersecurity risk management program under the direction of our CISO, who receives reports from our Information Security and Cybersecurity teams and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. We have cybersecurity operations in both the United States and in our office in Kuala Lumpur, Malaysia to ensure 24/7 monitoring of our global cybersecurity environment and to coordinate the investigation and remediation of alerts. Our CISO and dedicated personnel are certified and experienced information systems security professionals and information security managers with many years of experience. In addition, we provide cybersecurity training to all employees annually. Our Information Security and Cybersecurity teams manage and continually enhance a robust enterprise security infrastructure with the goal of preventing cybersecurity incidents to the extent feasible while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. We have also established a Major Incident Response team, which is responsible for responding to, mitigating and resolving any unexpected security incident. Management, including the CISO and our cybersecurity team, regularly update the Risk & Compliance Committee on the company s cybersecurity programs, material cybersecurity risks and mitigation strategies and provide cybersecurity reports quarterly that cover, among other topics, third-party assessments of the company s cybersecurity programs, developments in cybersecurity and updates to the company s cybersecurity programs and mitigation strategies. Third-party cybersecurity experts also play a key role in our cybersecurity risk management. We engage third-party service providers to conduct evaluations of our security controls, including through penetration testing, independent audits and consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of our security controls, leveraging third-party technology and expertise. 57 In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. In addition, our third-party service providers and other partners face similar cybersecurity threats, and although we assess these third parties cybersecurity controls through a cybersecurity assessment, which may include a cybersecurity questionnaire depending on our risk evaluation, and include security and privacy addendums to our contracts where applicable, a cybersecurity incident any of these entities could materially adversely affect our operations, performance and results of operations. For more information about these risks, please see Risk Factors Risks Relating to Information Security Cyberattacks, data security breaches or other similar incidents or disruptions suffered by us or third parties upon which we rely could have a material adverse effect on our business, harm our reputation and expose us to public scrutiny or liability in this Annual Report on Form 10-K.

Company Information