Forge Global Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-26

Page last updated on April 11, 2024

Forge Global Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-26 16:42:14 EDT.

Filings

10-K filed on 2024-03-26

Forge Global Holdings, Inc. filed an 10-K at 2024-03-26 16:42:14 EDT
Accession Number: 0001628280-24-013099

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management framework, systems, and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We conduct a regular cybersecurity risk assessment process through our Head of Information Security ( CISO ) and dedicated information security team which reports to our management-level risk committee, which meets at least quarterly to discuss and evaluate risks that could be material to our business, including cybersecurity threats. This committee is comprised of key leadership across the Company, including our Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, Chief Operating Officer, Chief Legal Officer, and Head of Risk. We additionally have a cybersecurity risk subcommittee which also meets at least quarterly and is designed to assist the management-level risk committee in its oversight of cybersecurity threats. We may conduct further assessments in the event of a material change in our business practices or emerging industry data that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include the effectiveness of our cybersecurity program and its practices for identifying, assessing, and mitigating cybersecurity risks our controls to prevent, detect, and respond to cyber incidents our cyber resiliency, including crisis preparedness, incident response processes, business continuity, and disaster recovery capabilities and our investments in cybersecurity infrastructure and program needs. 34 Table o f Contents Following these risk assessments, we implement, refine, and maintain reasonable safeguards to minimize identified risks reasonably address any identified gaps in existing safeguards and regularly monitor the effectiveness of our safeguards. We use frameworks established by the National Institute of Standards and Technology and other applicable industry standards to further define, benchmark, and refine our cybersecurity practices. As part of our overall risk management system, our dedicated information security team monitors and tests our cybersecurity policies and procedures through methods such as periodic reviews, targeted assessments, and tabletop exercises. All personnel are made aware of our cybersecurity policies and procedures upon hire and through periodic refresher trainings. Such policies and procedures cover areas such as identity and access management, vendor management, data governance and protection, vulnerability management, incident response, and operational risk management. Our cybersecurity policies and procedures are also incorporated into our broader risk management framework such that all enterprise and operational risks are evaluated in a holistic manner. We engage consultants and other third parties in connection with our risk assessment processes. These service providers assist us with designing, implementing, and testing our cybersecurity policies and procedures, as well as advising on applicable disclosure requirements. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect us. To date, we have not experienced any cybersecurity incidents which have materially impacted or are likely to materially impact our business strategy, results of operations, or financial condition based on information known to us as of the date of this Report. Although we cannot eliminate all potential threats, our cybersecurity program is operated in a manner to minimize the likelihood of any threat becoming material and to keep pace with a constantly evolving cybersecurity landscape. That said, as discussed more fully under the section titled Risk Factors, in this Report, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient despite our best efforts. Governance Our management is responsible for the day-to-day oversight and management of our enterprise risks, including risks from cybersecurity threats. As described in Risk Management and Strategy above, primary responsibility for assessing, monitoring, and managing our cybersecurity risks rests with our CISO and dedicated information security team, who develop, prioritize, and execute our cybersecurity strategy in partnership with relevant departments and business units. Our CISO, who has over 20 years of cybersecurity and information security experience, oversees our cybersecurity framework and reports to our management-level risk committee and cybersecurity risk subcommittee. Our CISO is assisted in this oversight role by additional members of management, including our Chief Technology Officer, Head of Risk, and our Chief Legal Officer, each of whom bring decades of leadership experience managing risks in their respective fields. Our board of directors, as a whole and as assisted by our risk committee, has responsibility for the oversight of our cybersecurity risk management framework. Consistent with this approach, our board of directors maintains oversight in the context of discussions with management, question and answer sessions, and reports from the management team, each on at least a quarterly basis and ad hoc as needed. Such reports include updates on any cybersecurity incidents and mitigation efforts until they have been resolved. Our board of directors and our audit committee also receives regular and ad hoc reports from our risk committee on all enterprise risks, including risks from cybersecurity threats. Our audit committee provides additional oversight on our cybersecurity risk management framework, with an emphasis on public reporting obligations and the effects cybersecurity risks could have on our financial condition generally.

Company Information