EBAY INC 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

EBAY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:04:20 EST.

Filings

10-K filed on 2026-02-19

EBAY INC filed a 10-K at 2026-02-19 16:04:20 EST
Accession Number: 0001065088-26-000027

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY Risk Management and Strategy Our approach to risk management is designed to identify, assess, prioritize and manage risk exposures that could affect our ability to execute our corporate strategy and fulfill our business objectives. As part of our comprehensive enterprise risk management ("ERM") program, we perform risk assessments in which we map and prioritize cybersecurity risks identified through the processes described below, including risks associated with our use of third-party service providers, based on probability, immediacy and potential magnitude. We view cybersecurity risks as one of the key enterprise risks we face, and these assessments help inform our ERM strategies and oversight processes. For example, like other ecommerce companies, we face a material risk that our information technology and infrastructure may be vulnerable to cyberattacks (including ransomware attacks) or other security events, as a result of which unauthorized third parties may be able to access our personnel or users' personal information or user payment card data that are stored on or accessible through our systems. We cannot guarantee that our information technology and infrastructure can ever be immune from these risks. For more information regarding the cybersecurity-related risks we face, see the information in "Item 1A: Risk Factors" under the caption "We face significant risk from cyberattacks and data security breaches." Our processes for assessing, identifying and managing cybersecurity risks and vulnerabilities are embedded across our business as part of our ERM program. Among other things, we (i) conduct audits and tests of our information systems (including reviews and assessments by independent third-party advisors) to help identify areas for continued focus and improvement; (ii) review cybersecurity threat information published by government entities and other organizations in which we participate; (iii) provide cybersecurity awareness training for all employees and enhanced training for information security and other specialized personnel; (iv) conduct phishing simulation testing of all personnel; (v) perform security risk assessments of third-party providers to evaluate controls, mitigations and contractual obligations, as well as reporting obligations in connection with cybersecurity events and other risks that could have an adverse impact on eBay data and information systems; (vi) perform security risk assessments of newly acquired companies as well as material changes to products and technologies and (vii) conduct tabletop exercises to simulate and test responses to cybersecurity events. We also maintain "responsible disclosure" and "bug bounty" programs to encourage professional security researchers to report potential security vulnerabilities to us. We use the findings from these and other processes, as well as benchmarking against industry practices, to improve our cybersecurity practices, procedures and technologies. We also have implemented and maintain cybersecurity incident response plans, which include processes to triage, assess, escalate, contain, investigate and remediate cybersecurity events, and to comply with potentially applicable legal obligations and mitigate brand and reputational damage. In addition, we maintain insurance to protect against potential losses arising from a cybersecurity event. Governance and Oversight Our ERM program enables our Board to establish a mutual understanding with management on the effectiveness of our cybersecurity risk management practices and capabilities, including the division of responsibilities for reviewing our risk exposure and risk tolerance, tracking emerging risks and ensuring proper escalation of certain key risks for periodic review by the Board and its committees. As part of its broader risk oversight activities, the Board oversees risks from cybersecurity threats, both directly and through its committees. As reflected in their respective charters, the Technology Committee of the Board (the "Technology Committee") assists the Board in its management of cybersecurity and data management risks, and the Risk Committee of the Board (the "Risk Committee") oversees our ERM function and structure, including governance structure and our guidelines and processes for risk assessment and risk management. The Audit Committee of the Board (the "Audit Committee") also oversees our audits of our cybersecurity practices and controls, as well as our internal control over financial reporting, including with respect to financial reporting-related information systems. As an element of its ERM oversight activities, the Risk Committee regularly reviews the results of our enterprise risk assessments, and the Technology Committee regularly reviews risk assessments relating to cybersecurity, as well as management's strategies to detect, monitor and manage such risks. The Technology Committee discusses these risks with our Chief Technology Officer ("CTO") and Chief Information Security Officer ("CISO") and regularly reports to the Board on the substance of these reviews and discussions. Each year, the Technology Committee also receives "deep dive" reports from our CTO and CISO on cybersecurity and data management risks, and the full Board also discusses cybersecurity risks with our CTO and CISO from time to time. In addition, our CTO and CISO may also report to the Risk Committee, Technology Committee or the full Board, as appropriate, on the management of certain cybersecurity risks and progress towards agreed mitigation goals, as well as any potential material risks from cybersecurity threats or events that have been detected by the information security team, and the remediation thereof. We maintain an information security policy which was approved by the Board and delegates to our CISO, as head of our information security function, the authority and responsibility for managing our information security program. Our CISO reports to our CTO and is responsible for day-to-day identification, assessment and management of the cybersecurity risks we face. Along with other senior managers, our CTO and CISO are also responsible for prioritizing cybersecurity risks and developing a culture of risk-aware practices. Existing and emerging cybersecurity risks are reported to and discussed with the CTO and CISO on a regular basis and as needed based on the threat level or severity of an incident. Our CTO, Mazen Rawashdeh, has served in his role since July 2019 and previously served as our Chief Infrastructure and Architecture Officer since May 2016. Prior to that, he was VP of Infrastructure Engineering and Operations responsible for global infrastructure engineering at Twitter for over four years. He received his BSCS in computer science and mathematics. Our CISO, Sean Embry, has served in his role since August 2015 and previously served as the senior leader responsible for infrastructure and operations engineering at Salesforce for three years. He received his BSBA in management information systems and decision sciences, and his MBA in information technology management. In accordance with our information security incident response plans, our information security team assesses the severity of any incidents it detects and follows escalation procedures embedded within the plans for upward reporting to the CISO and CTO, other members of management and the Board, each as needed. In addition to the ordinary-course Board and Technology Committee reporting and oversight described above, we also maintain disclosure controls and procedures, including within our cybersecurity incident response plans, designed for analysis of potentially material events covered by our risk management framework, including cybersecurity incidents or threats.

Company Information