Skillz Inc. 10-K Cybersecurity GRC - 2025-11-06

Page last updated on November 6, 2025

Skillz Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-06 17:15:48 EST.

Filings

10-K filed on 2025-11-06

Skillz Inc. filed a 10-K at 2025-11-06 17:15:48 EST
Accession Number: 0001801661-25-000050

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We take a comprehensive approach to cybersecurity risk management. While securing our customers and stakeholders' data is a top priority, like many companies with a public presence, we are subject to human-targeted and AI-assisted cyberattacks. Our board of directors (the "Board") and our management are involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices designed to assess, identify, and manage material risks from cybersecurity threats. We have devoted significant financial and personnel resources to implement and maintain security measures in an effort to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments in our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be effective, as cyber criminals are becoming more sophisticated and effective every day and increasingly targeting enterprise software companies. Although our Risk Factors include further detail about the material cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that such incidents will not materially affect us, including 43 TABLE OF CONTENTS our business strategy, results of operations, or financial condition. For the year ended December 31, 2024, we are not aware of any material cybersecurity incidents that had a significant impact on our operations or financial condition. For more information on our cybersecurity related risks see the risk factor entitled " We rely on information technology ("IT") and other systems and platforms, and any failures, errors, defects or disruptions in our or our vendors ' or other partners' systems or platforms could diminish our brand and reputation, subject us to liability, disrupt our business, affect our ability to scale our technical infrastructure and adversely affect our business, financial condition, operating results and growth prospects" in Part I, Item 1A Risk Factors of this Annual Report on Form 10-K, above. Risk Management and Strategy Our policies, standards, processes and practices designed to assess, identify, and manage material risks from cybersecurity threats are integrated into our overall risk management program. These policies, standards, processes, and practices are based on maintaining a security-in-depth methodology as informed by the National Institute of Standards and Technology ("IST") Cybersecurity Framework, the International Organization for Standardization ("ISO")/IEC 27001 and other applicable industry standards. Key controls include: (a) Zero trust network architecture for employee privileged and non-privileged application access (b) Mandatory employee security awareness training and phishing simulations, plus follow-up remedial training if necessary,(c)Periodic third-party network and host vulnerability scans and (d) 24/7 Security Operations Center monitoring all corporate endpoints which escalates to senior engineering resources as necessary for incident response and remediation. We also maintain a cyber insurance policy to mitigate financial exposure from any security incidents. Our cybersecurity program in particular focuses on the following key areas: Collaboration Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet periodically to develop strategies designed to preserve the confidentiality, integrity and availability of Company and customer information, identify, prevent and mitigate cybersecurity threats, and to attempt to effectively respond to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in an informed and timely manner. Risk Assessment We conduct a cybersecurity risk assessment at least annually that takes into account information from internal resources (e.g., vulnerability scans, incident reporting), known information security vulnerabilities, and information received from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). Technical Safeguards We periodically assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are periodically evaluated and improved as necessary, based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Incident Response and Recovery Planning We have established comprehensive incident response ("IR") and recovery plans and continue to periodically test and evaluate the effectiveness of those plans. Our IR plan provides our team with strategies for how to respond to incidents appropriately. Third-Party Risk Management We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers may be subject to security risk assessments at the time of onboarding, contract renewal, or upon detection of an increase in risk profile, according to our vendor security review process. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. 44 TABLE OF CONTENTS Education and Awareness Our policies require each of our employees to contribute to our data security efforts. We periodically remind and reinforce with our employees the importance of handling and protecting customer and employee data, including through annual privacy and security training designed to enhance awareness of how to prevent, detect, report, and respond to cybersecurity threats. We also conduct periodic phishing training and follow-up with remedial testing and training as necessary. External Assessments Our cybersecurity policies, standards, processes and practices are periodically assessed by consultants and external auditors. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. For example, in 2022, 2023 and 2024 we conducted independent cyber maturity assessments to review our controls against portions of the NIST Cybersecurity Framework. We also have achieved PCI SAQ-A Compliance every year since 2019. The results of significant assessments are reported to management, the Board and Audit Committee. Cybersecurity processes are adjusted, as appropriate, based on the information provided from these assessments. Governance Our Principal Security Engineer ("PSE") is responsible for the day-to-day assessment and management of our material cybersecurity risks. Since November 2021 until May 2025, the Principal Security Engineer (the "PSE-1") that served in this role had more than 18 years of experience in various information technology, cybersecurity and systems engineering roles. PSE-1's previous experience includes building and leading cybersecurity functions at large enterprises, startups, and research and development centers, as well as leading software teams which were acquired by Fortune 50 enterprises. PSE-1 also had expertise in building and designing secure software, scalable and resilient systems, incident response practices, privacy programs and other critical security disciplines and practice areas. The Principal Security Engineer holds a master's degree in physics and systems engineering. Since May 2025, the Company's Manager of IT ("PSE-2") has assumed the responsibilities of the Principal Security Engineer role. With more than 18 years of experience in information technology and over 12 years in IT management across technology-driven and interactive entertainment organizations, PSE-2 has frequently led both IT operations and cybersecurity initiatives, often as the sole technical lead. Responsibilities have included securing infrastructure, implementing security controls, and supporting secure business operations. To ensure robust oversight, we are establishing a Security Council, led by our Principal Security Engineer, that is comprised of senior leaders, including our Chief Executive Officer, Controller, Chief Financial Officer, and Interim General Counsel. The Security Council has primary management oversight responsibility for assessing and managing risks related to information security, fraud, vendor oversight, data protection and privacy, and our cybersecurity program, as well as responsibility for management of our information security systems. The Board is responsible for overseeing the Company's enterprise risk. The Security Council reports to the Board on cybersecurity risks. In addition to our ongoing ordinary course cybersecurity oversight procedures, we also have a security incident response framework in place. We use this incident response framework as part of the process we employ to keep our management and the Board informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. The framework is a set of coordinated procedures and tasks that our incident response team, under the direction of the Security Council, executes in the event of a cybersecurity incident that is designed to provide timely and accurate information flow, escalation for remediation and consideration of public disclosures, and resolution of cybersecurity incidents. Our cybersecurity framework includes periodic compliance assessments with our policies and standards and applicable state and federal statutes and regulations. In addition, we seek to validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits. We also conduct annual cybersecurity tabletop exercises, with the intent of validating our IR policies and procedures.

Company Information