Figma, Inc. 10-K Cybersecurity GRC - 2026-02-18

Page last updated on February 18, 2026

Figma, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 17:11:03 EST.

Filings

10-K filed on 2026-02-18

Figma, Inc. filed a 10-K at 2026-02-18 17:11:03 EST
Accession Number: 0001628280-26-009228

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, and we maintain a robust cybersecurity risk management program. The cross-functional group responsible for our cybersecurity risk management includes members of our governance, risk, and compliance ("GRC") team, legal, information technology, procurement, security engineering, and internal audit teams, including members of our senior management team. Our cybersecurity program is designed to anticipate, identify, monitor, evaluate, respond to, and protect against cybersecurity risks, threats, and incidents, including those associated with our products and platform, as well as our use of software, applications, services, and cloud infrastructure developed or provided by third-party vendors and service providers, and to protect the confidentiality, integrity , and availability of our systems and data, including customer information and our intellectual property. This program is informed in part by industry standards and best practices, such as the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. We have established a comprehensive set of information security policies, which include policies for the mitigation of risks related to cybersecurity threats, as well as an incident management policy, which outlines the procedures for our response to potential cybersecurity incidents. This framework is intended to identify cybersecurity threats and incidents, assess the severity and overall risk of any cybersecurity threat or attack, implement countermeasures and mitigation or remediation strategies, and inform the relevant members of our senior management team, who inform the Audit Committee and our Board of Directors of material cybersecurity threats or incidents. We regularly review and update these policies to account for changes in the threat and operational landscapes and in response to legal and regulatory developments. Our incident response team is responsible for the assessment, monitoring, and disposition of potential security incidents and implementing an incident response plan. A cross functional incident management policy includes processes and procedures for assessing and classifying potential incidents by severity and priority, defining roles among the cross-functional incident response team, communicating details of potential incidents to internal stakeholders, advisors, and external authorities, including law enforcement when necessary, and developing a plan for mitigation, containment, remediation, disclosure, and/or notification, in each case to the extent applicable, as well as post-incident recovery designed to safeguard the confidentiality, availability, and integrity of the data and information assets that we store or process. In addition to our information security policy, our security and legal teams work with our product, design, and engineering teams to identify areas of potential cybersecurity and data privacy risk and implement mitigation or remediation measures with respect to the development of our platform, products, and features. We also require mandatory cybersecurity and data privacy training for all employees and any contractor with access to our information technology systems, as well as additional training for members of our incident response teams. In addition, we engage third parties, including counsel, auditors, consultants, vendors, and other external service providers, to support our cybersecurity and data privacy programs. For example, we regularly engage independent third parties for penetration testing and evaluation of our compliance with various security standards, including SOC 2 Type II, ISO 27001, ISO 27701, ISO 27017, and ISO 27018. We also have processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers, including performing due diligence and review of our vendors' and prospective vendors' cybersecurity risk profile. Despite significant investments in our cybersecurity risk management program, there can be no assurance that we can prevent or mitigate a cybersecurity incident that could have a material adverse effect on us. However, to date we are not aware of any such incidents that have had a material impact on our offerings, systems or business. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For additional information about these risks, see Part I, Item 1A, "Risk Factors" in this Annual Report on Form 10-K, including " Security and privacy breaches may adversely impact our business, operating results, and financial condition ." Cybersecurity Governance Our Board of Directors oversees our overall enterprise risk management, and our Audit Committee specifically oversees and regularly reviews cybersecurity risk management. The Audit Committee provides oversight and reviews management policies, processes, and procedures related to the cybersecurity risks to which we are exposed. Management regularly reports to the Audit Committee regarding its process and procedures to mitigate or remediate cybersecurity risks, threats, and incidents, along with results of our cybersecurity monitoring activities. We also have established a cross-functional team that is responsible for our information security and privacy programs and practices, as well as assessing, identifying, managing, and mitigating security and privacy risks. Members of this team report periodically to the Board of Directors, Audit Committee, and our senior leadership. This team includes senior leaders from our GRC, legal, information technology, procurement, security engineering, and internal audit teams, and is overseen by our Chief Technology Officer, Chief Financial Officer, and our General Counsel . Our Chief Technology Officer has been with us since 2017, having served as our VP of Engineering or Chief Technology Officer for a total of over eight years, and has over two decades of experience in the engineering and security profession. Our Chief Financial Officer has been with us since 2017, having served as our Head of Business Operations and Finance or Chief Financial Officer for a total of over eight years, and has over ten years of experience in finance and business operations at technology companies. Our General Counsel has been with us since 2019, having served as our Director of Legal, VP of Legal, or General Counsel for a total of over six years, and has over 15 years of experience in the legal profession advising companies in the technology space. Management is responsible for day-to-day risk management activities, including identifying and assessing cybersecurity risks, establishing processes to ensure that potential cybersecurity risk exposures are mitigated and monitored, implementing appropriate mitigation or remediation measures, and maintaining cybersecurity programs. Members of senior leadership are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through their management of, and participation in, the cybersecurity risk management program described herein.

Company Information