UPWORK, INC 10-K Cybersecurity GRC - 2026-02-12

Page last updated on February 13, 2026

UPWORK, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-12 18:11:18 EST.

Filings

10-K filed on 2026-02-12

UPWORK, INC filed a 10-K at 2026-02-12 18:11:18 EST
Accession Number: 0001627475-26-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy Our cybersecurity and data privacy risk management processes are integrated into our enterprise risk management program, and we have established processes for assessing, identifying, and managing material risks arising from cybersecurity threats. We maintain physical, technical, and administrative safeguards designed to protect information assets and have defined procedures for incident detection, containment, response, and remediation . Our information security team is primarily responsible for managing cybersecurity risk and works in close coordination with our legal team on data privacy risk management. We conduct regular cybersecurity test exercises involving relevant stakeholders to reinforce roles, decision-making processes, and escalation protocols. These exercises are designed not only to confirm accountability, but also to strengthen organizational readiness by training teams to respond effectively under realistic conditions and to continuously improve our incident response capabilities. We have implemented controls and procedures to support the timely identification and escalation of cybersecurity incidents, enabling management to evaluate, respond to, and determine appropriate disclosure and reporting actions in a timely manner . Our platforms and workforce solutions maintain security and privacy programs informed by industry-recognized standards and frameworks, including ISO standards and SOC reporting, as appropriate for their respective products, operating environments, and customer requirements. These programs are designed to support the protection of customer data and compliance with applicable security and privacy obligations. Certain platforms and workforce solutions maintain separate certifications and attestations that reflect their distinct environments and enterprise customer needs. Our information security controls operate at multiple levels and are designed to detect, prevent, and mitigate cybersecurity threats that could affect the confidentiality, integrity, and availability of our data and our customers' data. To support operations at scale, we have automated certain risk mitigation measures and regularly evaluate their effectiveness. We have implemented trust and safety processes intended to help prevent and detect suspicious and fraudulent activity on our platforms. As part of the development and operation of the Upwork Marketplace, we have designed and refined proprietary detection mechanisms, including pattern-based techniques, to identify anomalous or potentially malicious behavior, and we continue to enhance these capabilities in response to an evolving threat landscape. We regularly review and update our information security policies, standards, and procedures to reflect changes in our cybersecurity posture, emerging risks, and risk mitigation strategies. We also provide regular, mandatory cybersecurity training to our personnel to raise awareness of cybersecurity risks, reinforce secure practices, and communicate updates to our information security policies, standards, processes, and practices. We engage third parties, including vendors and other external service providers, to support elements of our cybersecurity and data privacy programs, such as risk assessments, program enhancements, and user verification services. These third parties provide security-related services, including independent evaluations of our security environment and assessments of our technology and security controls using industry-recognized frameworks. We also operate a vulnerability disclosure and bug bounty program to support the ongoing identification of potential security vulnerabilities. In addition, our information security team performs regular security scans to identify known vulnerabilities and supports remediation efforts as appropriate. We maintain processes to identify, assess, and oversee cybersecurity risks associated with our use of third-party service providers. Our approach is risk-based and is designed to evaluate cybersecurity risks posed by vendors, service providers, and other third parties, including risks arising from third-party systems that could adversely affect our business in the event of a cybersecurity incident. As part of these processes, we perform due diligence on vendors and prospective vendors with respect to their cybersecurity practices and controls. Cybersecurity risk management is integrated into our broader enterprise risk management program, which is overseen by the audit, risk and compliance committee of our board of directors, which we refer to as our audit committee, and cybersecurity considerations are an important component of our overall approach to enterprise risk management. We deploy technical safeguards designed to protect our information systems from cybersecurity threats, including network security controls, intrusion detection and prevention technologies, endpoint detection and response capabilities, logging, monitoring and alerting mechanisms, anti-malware protections, advanced email security, and access controls. These safeguards are evaluated and enhanced through vulnerability assessments and the use of 33 cybersecurity threat intelligence. Access to our platform is encrypted using industry-standard transport layer security protocols. Sensitive information transmitted through our platform, including certain personal and financial data, is encrypted during transmission, and data stored on systems containing personally identifiable information is encrypted at rest. We also implement additional security mechanisms, such as HTTP Strict Transport Security (HSTS), to help ensure secure connections to our website. Customers may elect to enhance the security of their accounts by enabling multi-factor authentication. In addition, we maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) for payment processing, reflecting adherence to industry-recognized security requirements applicable to organizations that process payment card transactions. To date, cybersecurity threats, including any prior cybersecurity incidents, have not had a material impact on our business strategy, operating results, or financial condition. However, a future material cybersecurity incident could have a material adverse effect on our business strategy, operating results, or financial condition. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see "Risk Factors-If we or our third-party partners experience a security breach, other hacking or phishing attack, ransomware or other malware attack, or other privacy or security incident, our platforms and other workforce solutions may be perceived as not being secure, our reputation may be harmed, demand for our offerings may be reduced, our operations may be disrupted, we may incur significant legal costs, fines, or liabilities, and our business could be adversely affected." Cybersecurity Governance While everyone at Upwork plays a part in managing cybersecurity and data privacy risks, oversight responsibility is shared by our board of directors, audit committee, and management. Our board of directors, as a whole, has responsibility for risk oversight, and the committees of our board of directors oversee and review risk areas that are particularly relevant to their respective functions. Among its focus areas, our audit committee reviews matters relating to cybersecurity and data privacy and regularly reports to our board of directors regarding such matters. One member of our audit committee earned NACD's CERT Certificate in Cybersecurity Oversight in 2025. Our Chief Information Security Officer , who we refer to as our CISO, presents quarterly cybersecurity-related updates to our audit committee, including at least one update to the full board of directors each year, regarding recent developments, evolving standards, metrics about cyber threat response preparedness, program maturity milestones, material cybersecurity risks and risk mitigation status, and the current and emerging threat landscape. We also have implemented controls and procedures that provide for the communication of material cybersecurity incidents to our Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, and Chief Legal Officer, as well as to our audit committee and/or to our full board of directors on a timely basis. Our CISO leads our cybersecurity risk management program and collaborates closely with our legal team on data privacy matters at the management level. Appointed as our CISO in April 2025 after joining Upwork in 2021, our CISO has over two decades of experience in technology leadership roles across the healthcare and technology industries, including dedicated information security leadership positions at two publicly traded companies (including Upwork) since 2016. Our CISO is supported by a seasoned leadership team composed of information security professionals who have held roles at some of the most well-known global brands and are recognized experts in their respective fields. Our CISO actively oversees and participates in the development and implementation of our cybersecurity policies and procedures, and the cybersecurity team provides the CISO with regular updates on the threat landscape, incidents, and emerging risks. Our CISO and his team provide regular updates to the management team and promptly escalate issues that warrant executive attention.

Company Information