Moatable, Inc. 10-K Cybersecurity GRC - 2024-04-03

Page last updated on July 16, 2024

Moatable, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-03 17:04:14 EDT.


10-K filed on 2024-04-03

Moatable, Inc. filed a 10-K at 2024-04-03 17:04:14 EDT
Accession Number: 0001410578-24-000425

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our company recognizes cybersecurity as a critical component of its risk management strategy. We are committed to protecting our digital assets, customer data, and intellectual property from cyber threats. Our approach is guided by industry best practices and compliance with relevant cybersecurity standards and regulations including SOC 2, ISO 27001, and ISO 27701. We conduct regular assessments to identify potential cybersecurity threats and vulnerabilities that are then reviewed by external auditors as part of our annual SOC 2 Type 2 Review and ISO 27001 audit. This process includes evaluating external threat landscapes, internal systems, and processes for susceptibility to cyber-attacks. We utilize both in-house expertise and external consultants to ensure a comprehensive assessment. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”). Our information technology department collaborates with our security and compliance team (a cross-functional team), product development department and the legal department to help identify, assess and manage the company’s cybersecurity threats and risks. They identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile, using various methods including, among others, manual and automated tools, internal and external audits, third-party threat assessments and external intelligence feeds, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, and conducting vulnerability assessments to identify vulnerabilities. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including but not limited to IT policies (incident management plan, stake-holder engagement, incident response plan, DR plan, etc.) incident detection and response, and vulnerability detection and management, preventative controls including firewalls, secure coding practices and IDS, annual disaster recovery testing, data segregation and encryption (at rest and in-transit), network security controls and access controls, asset management, tracking and disposal, vendor management, employee training and awareness and cybersecurity insurance. Our assessment and management of material risks from cybersecurity threats are integrated into the company’s overall risk management processes. For example, the information technology department, security and compliance team and product development department work with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business; and our senior management, such as our chief executive officer, evaluates material risks from cybersecurity threats against our overall business objectives and reports to the audit committee of our board of directors, which evaluates our overall enterprise risk. Additionally, we use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats. Such third-party service providers include professional service firms including outside legal counsel, cybersecurity consultants, cybersecurity software providers, penetration testing firms, dark web monitoring services providers, and forensic investigators. These third-party service providers perform a variety of functions for our company, and we maintain a robust vendor management program to manage cybersecurity risks associated with our use of these providers. For example, we conduct risk and security assessment for potential vendors and their programs and periodically review such assessments; and we require our vendors to complete security questionnaires and conduct audits and vulnerability scans related to them. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect our company, see “Item 1A. Risk Factors-Risks Related to Our Business and Industry-Cyber-attacks, computer viruses, physical or electronic break-ins or other unauthorized access to our or our business partners’ computer systems could result in misuse of confidential information and misappropriation of funds of our customers, subject us to liabilities, cause reputational harm and adversely impact our results of operations and financial condition.,” and “-We rely on sophisticated information systems and third-party cloud infrastructure to run our business. The failure of these systems, any service disruptions or outages, or the inability to enhance our capabilities, could have a material adverse effect on our business, sales, and results of operations.” Governance Our board of directors recognizes the critical importance of cybersecurity in safeguarding our company’s assets, reputation, and customer trust. Our board of directors addresses our company’s cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain management members, including Mr. Henry He Li, our chief technology officer, Chris Williams (SecurePoint 360), our virtual chief information security officer, and Mr. David Rice, our global IT manager. Our cybersecurity incident response policy and vulnerability management policy are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our chief technology officer. These management members work with related incident response functions, including the information technology department, the product development department and the legal department, to help the company mitigate and remediate cybersecurity incidents of which they are notified. In addition, our company’s incident response policy and vulnerability management policy include reporting to the audit committee of the board of directors for certain cybersecurity incidents. Our audit committee receives periodic reports from our information technology department concerning the company’s significant cybersecurity threats and risk and the processes the company has implemented to address them. Artificial Intelligence AI possesses the potential to transform various work sectors significantly. Currently, we are in the early stages of enhancing and broadening our offerings with AI technologies, aiming to assist our clients in tackling current challenges. Our dedication lies in actualizing AI’s potential while ensuring ethical practices. Our approach is underpinned by fundamental values: ensuring equity, dependability, and safety, maintaining privacy and security, promoting inclusiveness, upholding transparency, and embracing accountability.

Company Information

NameMoatable, Inc.
SIC DescriptionServices-Prepackaged Software
CategoryNon-accelerated filer
Smaller reporting company
Fiscal Year EndDecember 30