Rush Street Interactive, Inc. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Rush Street Interactive, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:57:27 EST.

Filings

10-K filed on 2024-03-07

Rush Street Interactive, Inc. filed an 10-K at 2024-03-07 16:57:27 EST
Accession Number: 0001793659-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our process for identifying, assessing and managing material risks from cybersecurity threats is part of our broader risk management system and processes. We use a risk management framework based on applicable laws and regulations and informed by industry standards and industry-recognized practices, for managing cybersecurity risks within our offerings, infrastructure and corporate resources. As part of our risk management process, we conduct application security assessments, vulnerability management, penetration testing, security audits and risk assessments. We also maintain a variety of incident response plans, playbooks and processes that are utilized if and when incidents are detected. In addition, we have processes in place to govern our third-party vendor security risks. We generally gather information, usually through questionnaires, from certain third parties who contract with the Company and receive sensitive data from us or have access to or integrate with our systems, in order to help us assess potential risks associated with their security processes. We also generally require third parties to, among other things, maintain security controls to protect confidential information and data, and generally notify us of any data breaches that may impact our data through obligations that are documented in data processing or other agreements. We also carry insurance that provides certain, limited protection against losses arising from a cybersecurity incident. Internally, we also have a security awareness program which includes training that reinforces our information technology and security policies, standards and practices, and we require that our employees comply with these policies. The security awareness program offers training on how to identify potential cybersecurity risks and protect our resources and information. These trainings are mandatory for all employees and take place throughout the year, and it is supplemented by testing initiatives, including periodic phishing tests. We also provide access to specialized training for certain employee roles, such as application developers. Finally, our privacy and data protection program requires all employees to take periodic awareness training on data privacy. This training includes information about confidentiality and security, as well as responding to unauthorized access to or use of information. From time to time, we engage assessors, consultants, auditors, or other third-party service providers to enhance risk mitigation efforts. For instance, we periodically perform simulations and tabletop exercises for our technical teams and senior leaders to prepare for a possible cyber crisis and incorporate external resources and advisors as needed. We also engage third-party consultants and service providers to assist with penetration testing, security audits and vulnerability assessments in certain jurisdictions. While our full Board has overall responsibility for risk oversight and is currently overseeing our business continuity, regulatory and compliance risks, it is supported in this function by our Audit Committee, Compensation Committee and NCG Committee. Our Audit Committee periodically reviews our cybersecurity, information technology, data protection, privacy and compliance risk management, as well as performs other risk oversight functions. Through its regular meetings with management, including the accounting and finance, legal, internal audit, regulatory compliance and information technology and security functions, the Audit Committee reviews and discusses our cybersecurity risk management practices and policies and periodically updates the Board or relevant members or committees thereof, about any material risks and the appropriate mitigating factors. Our Chief Information Officer, who has information technology, engineering, product and security knowledge, experience and skills gained over a decade of experience leading product and engineering organizations, and certain members of his team as well as outside advisors who have cybersecurity experience are responsible for implementing and maintaining cybersecurity and data protection practices at the Company and reporting on cybersecurity matters to the relevant members of management. This team is supported, from time to time, by third-party consultants and service providers with specific areas of cybersecurity expertise. Management is responsible for identifying, assessing and managing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures, and maintaining cybersecurity policies and procedures. Management also regularly communicates cybersecurity risks and activities with other members of management and, as appropriate, to our Board or relevant members or committees thereof, including the Audit Committee. We, like many other companies in the gaming and entertainment space, experience routine cybersecurity threats such as DDOS, phishing or social engineering attacks. While our business strategy, results of operations and financial condition have not been materially affected by risks from any such cybersecurity threats, including as a result of previously identified cybersecurity incidents, we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K. 57

Company Information