DraftKings Inc. 10-K Cybersecurity GRC - 2026-02-13

Page last updated on February 13, 2026

DraftKings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-13 07:10:13 EST.

Filings

10-K filed on 2026-02-13

DraftKings Inc. filed a 10-K at 2026-02-13 07:10:13 EST
Accession Number: 0001883685-26-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company maintains a governance structure to address cybersecurity risk, which involves a dedicated Information Security Team (the "Information Security Team"), an executive security steering committee (the "Executive Security Steering Committee"), the Compliance and Risk Committee of the Board and the Board. The Company's Information Security Team, led by our Chief Information Security Officer ("CISO"), is responsible for identifying, assessing, mitigating and reporting on material cybersecurity risks to the Company's Executive Security Steering Committee. The Company's CISO holds high-level licenses and certifications relating to information security, including a Certified Information Security Manager from the Information Systems Audit and Control Association and a Certified Information Systems Security Professional and a Certified Cloud Security Professional from the International Information Security System Security Certification Consortium. The Company's Executive Security Steering Committee, chaired by the Company's CISO and comprised of various cross-functional members of senior management, drives awareness and alignment across broad stakeholder groups for cybersecurity governance and risk management and reporting. The Executive Security Steering Committee receives quarterly reports from the Company's CISO. The Compliance and Risk Committee receives regular reports from the Company's CISO. The Compliance and Risk Committee periodically reports to the Board . The Company maintains an operational Incident Response Plan ("IRP") that defines how the Company handles cybersecurity incidents, including identification, assessment, escalation, reporting and remediation procedures. The IRP is reviewed annually both internally and by third parties during regular audits. In addition, the Company retains a preferred partner with expertise in cybersecurity risks and incidents to advise on cybersecurity related matters. The Company's preferred partner is also part of the Company's IRP procedures and provides independent analysis and advice during cybersecurity investigations. The Company also maintains a Security Awareness Program, which is designed, implemented and maintained by the Company's CISO. The Company's Security Awareness Program includes training that reinforces the Company's information technology risk and security management policies, standards and practices, as well as the expectation that employees comply with these policies. The Security Awareness Program engages personnel through training on how to identify potential cybersecurity risks and protect the Company's resources and information, as well as how to respond to unauthorized access to or use of Company information. The Security Awareness Program training is mandatory for all employees globally at least annually, and it is supplemented by Company-wide assessment initiatives, including periodic testing. The Company provides specialized security training for certain employee roles, such as application developers. 43 The Company conducts periodic tests to assess the Company's processes and procedures and the threat landscape, which are designed with the goal of implementing and maintaining a robust cybersecurity program. Where appropriate, the Company takes additional and ongoing steps intended to strengthen the Company's cybersecurity capabilities and mitigate the risk of a breach or incident. The Company's security program and IT-related controls are regularly examined by internal auditors, external auditors and various regulators. For example, each year, the Company conducts various third-party audits, including SOC 2 Type 2, PCI DSS and ISO 27001. The Company also engages third-party consultants for incident responses. These third-party consultants report directly to the CISO and, depending on the nature of the incident, report directly to the Executive Security Steering Committee on various topics, including effects of the incident and recommendations on how to strengthen the Company's cybersecurity capabilities and mitigate the risk of a breach or incident. In addition to assessing the Company's cybersecurity preparedness, the Company also considers and evaluates cybersecurity risks associated with its use of third-party service providers. The Company maintains a vendor onboarding program, pursuant to which the Company regularly reviews third-party hosted applications and, when available, requests its vendors to provide SOC 2 Type 2 reports and/or ISO 27001 certificates. The Company's assessment of risks associated with use of third-party providers is part of the Company's overall cybersecurity risk management program. Although we have designed our cybersecurity program and governance procedures above to mitigate cybersecurity risks, we have experienced, and we may in the future experience cybersecurity risks, threats and attacks. To date, these risks, threats and attacks have not had a material impact on our operations, business strategy or financial results, but we cannot provide assurance that they will not have a material impact in the future. See the section entitled "Risk Factors" included elsewhere in this Annual Report for further information. We continuously work to enhance our cybersecurity risk management program.

Company Information