Sonder Holdings Inc. 10-K Cybersecurity GRC - 2025-07-23

Page last updated on September 8, 2025

Sonder Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-07-23 20:02:29 EDT.

Filings

10-K filed on 2025-07-23

Sonder Holdings Inc. filed a 10-K at 2025-07-23 20:02:29 EDT
Accession Number: 0001819395-25-000088

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our business involves the collection, storage, transmission, and other processing of confidential and sensitive data, including information about our guests and employees, and our operations depend on various information technology systems, communications networks, and technology applications, including those of third parties, such as software-as-a-service providers. Accordingly, we face cybersecurity threats on an ongoing basis. As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, financial condition, and cash flows. For additional information regarding risks from cybersecurity threats, please refer to Item 1A. Risk Factors in this Annual Report on Form 10-K. We have implemented, and continue to develop, various information security processes and measures designed to identify, assess, and manage material risks from cybersecurity threats. Depending on the context, our technical and operational measures include vulnerability and risk assessments, network security and access controls, encryption of relevant data, systems monitoring, and employee training. Our Information Security team refers to the National Institute of Standards and Technology cybersecurity framework, among other industry reference sources, as a general guide in implementing security measures and addressing cybersecurity risks. On an ongoing basis, our senior management team considers cybersecurity risks among our other important enterprise-wide risks. We work with third parties from time to time to assist us in our cybersecurity efforts, including technology consulting firms and legal advisors, and on a periodic basis, an external vulnerability testing vendor with respect to certain Payment Card Industry Data Security Standard requirements. Depending on the nature of the services provided, the information involved, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider. We also participate in a “bug bounty” program that provides incentives for third-party researchers to identify possible system vulnerabilities. We also maintain cybersecurity insurance coverage. Our insurance coverage may not cover or fully insure all cybersecurity-related risks that we face, as described in Item 1A. Risk Factors in this Annual Report on Form 10-K. Governance Our Board has ultimate oversight responsibility for the Company’s strategy and risk management, including material risks related to cybersecurity threats. The Board administers its risk oversight function directly and through the Audit Committee. Our executive officers are responsible for the day-to-day management of the material risks we face, including cybersecurity risks. Among other things, management is responsible for hiring appropriate personnel, designing and implementing cybersecurity-related processes, communicating priorities to relevant personnel, and assessing cybersecurity incidents as they arise. Among members of our senior management, cybersecurity matters are overseen by our Vice President, Technical Product Management , who reports to our Chief Executive Officer and has more than two decades of experience in product leadership, engineering, and information technology. Our Senior Director, Information Technology Compliance and Information Security (“Head of Information Security”) reports to our Vice President, Technical Product Manager, and leads our cybersecurity risk assessment, management, and response processes, including their implementation and maintenance. Before joining Sonder in January 2022, our Head of Information Security had approximately 18 years of additional experience as an information security officer and security consultant. He holds CISSP, CISM, and CDPSE certifications. Our cybersecurity incident response and vulnerability management processes are designed to escalate cybersecurity incidents to members of management, and if applicable, to our Board, depending on the circumstances. Our Head of Information Security also has monthly program updates with our Vice President, Technical Product Manager and other technology team members to discuss cybersecurity and other technology related initiatives, progress and status. Additional discussions and updates occur in preparation for quarterly Board meetings and on an ad hoc basis. The Board receives quarterly reports from management, concerning significant cybersecurity risks, assessments, and related matters. Management also updates our Audit Committee concerning cybersecurity matters from time to time.

Company Information