Prosper Funding LLC 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

Prosper Funding LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 16:51:47 EDT.

Filings

10-K filed on 2024-03-22

Prosper Funding LLC filed an 10-K at 2024-03-22 16:51:47 EDT
Accession Number: 0001416265-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Prosper recognizes the critical importance of protecting the company s assets and customer data against new and existing risks using appropriate organizational measures, policies, procedures, and technical solutions while maintaining robust cybersecurity measures to safeguard our information systems and protect the security, confidentiality, integrity, and availability of our data. Managing Material Risks & Integrated Overall Risk Management Prosper has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our information security ( InfoSec ) team works closely with our information technology team to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Third-Party Risk Management Engagement Prosper engages with a range of external experts, including external auditors, cybersecurity assessors and penetration testers as part of our InfoSec and cybersecurity programs. Our collaboration with these third-parties includes services such as external audits, threat assessments and guidance on key security initiatives. These partnerships allow us to leverage specialized knowledge and insights, consistent with our aim for industry-best practices. Oversee Third-Party Risk Prosper maintains stringent processes to oversee and manage the risks associated with third-party service providers, including a team focused on vendor, enterprise, and procurement risk management. We conduct diligence and security assessments of material third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. This monitoring includes an initial review of their information security program, annual re-assessments, and ongoing monitoring for security incidents. This approach is designed to mitigate risks related to data breaches or other security incidents originating from our material vendors and partners. Risks from Cybersecurity Threats For a description of the cybersecurity risks which could materially affect Prosper s business strategy, results of operations, or financial condition , please refer to the following: (i) Risk Factors If the security of PFL’s investors’ and borrowers’ confidential information stored in our systems is breached or otherwise subjected to unauthorized access, users’ secure information may be stolen, our reputations may be harmed, and we may be exposed to liability, (ii) Risk Factors Any significant disruption in service in our marketplace or in PMI s computer systems could adversely affect PMI s ability to perform its obligations under the Administration Agreement, and (iii) Risk Factors Our marketplace may be vulnerable to computer viruses, physical or electronic break-ins and similar disruptions. We and certain third party vendors occasionally have experienced cyber-attacks, breaches of our and their systems and other similar incidents, which to-date have not had a material effect on Prosper s business strategy, results of operations, or financial condition. Governance The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats. Board of Directors Oversight of Risks The Board is directly responsible for overseeing risks related to cybersecurity and is composed of board members with diverse expertise, including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. The Board is informed of cybersecurity risks by our Chief Executive Officer ( CEO ) and General Counsel ( GC ), who are kept updated on an ongoing basis of cybersecurity risks through our Chief Technology Officer ( CTO ) and Head of Information Security (the InfoSec Director ). Our InfoSec Director also prepares a quarterly update for each Board meeting that updates the Board of any information security and cybersecurity risks and threats to our systems. The InfoSec Director also 42 will meet with the Board directly for training focused exclusively on our cybersecurity and information security program and risks, beginning in 2024. Risk Management Personnel Primary responsibility for assessing, monitoring, and managing our cybersecurity risks rests with our InfoSec Director. Our InfoSec Director has experience building global Information Security programs and has advised organizations across several highly- regulated industries, including financial services, technology, healthcare, government, non-profit, and retail. Our InfoSec Director, with oversight from the CTO, manages Prosper s information security risk management program and informs Prosper s Enterprise Risk & Information Security Committee ( eRISC ), which consists of members of Prosper s management team and includes our CEO, Chief Financial Officer ( CFO ), CTO, and GC, regarding the prevention, detection, mitigation, and remediation of cyber risks and incidents. The cybersecurity team has decades of experience in selecting, deploying, and operating cybersecurity technologies, initiatives, and processes. eRISC meets on at least a quarterly basis to discuss any cybersecurity incident reports, as applicable, ongoing cybersecurity initiatives and strategies, take any actions approved by the voting members of eRISC, and discuss escalation and reporting to the Board, as needed. Process for Monitoring Cybersecurity Incidents The InfoSec Director and eRISC, as applicable, are continually informed about the latest developments in cybersecurity including potential threats and innovative risk management techniques. The InfoSec Director is an active thought leader and speaker within the CISO community, regularly participating in cybersecurity conferences such as FS-ISAC, and CISO summits. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The InfoSec Director implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the InfoSec Director is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Reporting to Board of Directors As discussed above in Cybersecurity Board of Directors Oversight of Risks, our InfoSec Director regularly updates our eRISC committee regarding all aspects related to cybersecurity risks and incidents and also maintains direct communication with the CEO, CFO, CTO, and GC for escalation of such incidents directly to the Board. This ensures that the highest levels of management and the Board are kept informed of the cybersecurity posture and potential risks facing Prosper. 43

Company Information