Groupon, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on July 16, 2024

Groupon, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 06:58:57 EDT.


10-K filed on 2024-03-15

Groupon, Inc. filed a 10-K at 2024-03-15 06:58:57 EDT
Accession Number: 0001490281-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We face significant and persistent cybersecurity risks due to the widespread use of our websites and mobile applications; the attractiveness of our websites and mobile applications to threat actors, including state-sponsored actors; the fact that we operate globally and must defend against cybersecurity attacks in thirteen countries; the substantial level of harm that could occur to our business, our customers, or our merchants if were we to suffer a material cybersecurity incident; and our use of third-party products and services. Protecting our systems, networks, data and confidential information is a priority at Groupon. We are committed to maintaining robust governance and oversight of these risks and implementing mechanisms, controls, technologies and processes designed to help us identify, assess and manage these risks. As of the date of this Form 10-K, we have not experienced a material cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, but there can be no guarantee that we will not experience such an incident in the future. Such incidents, whether or not successful, could result in significant costs related to, for example: rebuilding our internal systems, implementing additional threat protection measures, providing modifications to our websites and mobile applications, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing merchants and customers with incentives to maintain a business relationship with us, taking other remedial steps with respect to third parties or incurring significant reputational harm. In addition, these threats are constantly evolving, which increases the difficulty of successfully defending against them or implementing adequate preventative measures. We have seen an increase in the volume, frequency and sophistication of cyberattacks. We seek to detect and investigate unauthorized attempts and attacks against our network, cloud infrastructure, websites, and mobile applications and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and our websites and mobile applications; however, we remain potentially vulnerable to known or unknown threats. It is also possible that we, our merchants, our customers or our vendors will be unaware of a threat or incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. See Item 1A. - Risk Factors for more information on our cybersecurity risks. The Audit Committee of our Board (“Audit Committee”) oversees risks pertaining to cybersecurity. A member of our IT and Information Security teams regularly reports to the Audit Committee, and directly to the Board, as appropriate, on the state of our cybersecurity program and provides updates on cybersecurity matters. In addition, our Vice President of Software Engineering typically conducts an annual cybersecurity review with our Board. We employ security practices to protect and maintain the systems located at our cloud hosting providers, invest in intrusion and anomaly detection tools and engage third-party security firms to test the security of our 34 websites and systems. Specifically, we leverage industry best practices to identify and mitigate data security risks, including but not limited to, utilizing processes and tools to monitor and address email security, the security of our workstations and servers, cloud security, password management, secure file transfers and ransomware protection. In addition, we utilize a firewall, a virtual private network, multi-factor authentication and single sign-on and conduct regular phishing testing. We also regularly evaluate and assess our systems and the controls, processes and practices to protect those systems, including recently completing the migration of our public-facing websites and applications and our back-end business intelligence systems to the cloud. We also retain personnel that have in-depth experience in penetration testing and conduct penetration testing against our own systems. Further, we utilize third party partners to help us monitor issues that are internally discovered or externally reported that may affect our websites and mobile applications, and we have processes to assess the potential cybersecurity impact or risk of these issues. We also have a process in place to manage cybersecurity risks associated with third-party service providers. We impose security requirements upon our suppliers, including maintaining an effective security management program abiding by information handling and asset management requirements and notifying us in the event of any known or suspected cyber incident. The day to day operations of our cybersecurity risk management program are overseen by our IT and Information Security teams. Our cybersecurity program is run by our Vice President of Engineering for InfoSec, Darren Redmond, who reports to our Chief Technology Officer (“CTO”), Vojtech Rysanek. Our CTO has served in that position since November 2022, and, prior to Groupon, he was previously the CTO at Aukro, the largest online marketplace in the Czech Republic. Mr. Redmond has served in this position for the last year and has worked at Groupon for over 7 years, and, prior to Groupon, his experience includes serving as the CTO of Knowledge Point, a learning materials management service provider. Our Information Security Officer reports to Mr. Redmond and monitors prevention, detection, mitigation and remediation efforts through regular communication and reporting from professionals in the Information Security team, many of whom hold cybersecurity certifications such as a Certified Information Systems, Security Professional or Certified Information Security Manager, and through the use of technological tools, software and results from third party audits. Our Information Security Officer joined Groupon in November 2023, and, prior to Groupon, was previously in VMware Carbon Black, and prior to that held roles in Skyscanner. Our Security Manager and Security Operation Center Manager also have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our VP of InfoSec and CTO regularly report directly to the Audit Committee on our cybersecurity program and efforts to prevent, detect, mitigate and remediate issues. In addition, we have an escalation process in place to inform senior management and the Board of material issues.

Company Information

NameGroupon, Inc.
SIC DescriptionServices-Advertising Agencies
TickerGRPN - Nasdaq
CategoryAccelerated filer
Smaller reporting company
Fiscal Year EndDecember 30