Opendoor Technologies Inc. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

Opendoor Technologies Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:25:06 EST.

Filings

10-K filed on 2026-02-19

Opendoor Technologies Inc. filed a 10-K at 2026-02-19 16:25:06 EST
Accession Number: 0001801169-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity " for additional information regarding our cybersecurity governance, risk management and strategy. Internet law is evolving, and unfavorable changes to, or failure by us to comply with, these laws and regulations could adversely affect our business, results of operations, and financial condition. We are subject to regulations and laws specifically governing the internet. The scope and interpretation of the laws that are or may be applicable to our business are often uncertain, subject to change, and may be conflicting. If we incur costs or liability as a result of unfavorable changes to these regulations or laws or our failure to comply therewith, our business, results of operations, and financial condition could be adversely affected. Any costs incurred to prevent or mitigate this potential liability could also harm our business, results of operations, and financial condition. Our fraud detection processes and information security systems may not successfully detect all fraudulent activity by third parties aimed at our employees or customers, which could adversely affect our reputation and business results. Third-party actors have attempted in the past, and may attempt in the future, to conduct fraudulent activity by engaging with our customers, particularly in our title insurance and escrow business. We make a large number of wire transfers in connection with loan and real estate closings and process sensitive personal data in connection with these transactions. We may not be able to detect and prevent all fraudulent activity on our mobile applications, websites, and internal systems. Similarly, the third parties we use to effectuate these transactions may fail to maintain adequate controls or systems to detect and prevent fraudulent activity. Fraudulent activity may result in litigation or government actions, for example, if individuals or regulators deem our fraud detection processes inadequate. Additionally, persistent or pervasive fraudulent activity may cause customers and real estate partners to lose trust in us and decrease or terminate their usage of our products, or could result in financial loss, thereby harming our business and results of operations. 45 TABLE OF CONTENTS OPENDOOR TECHNOLOGIES INC. Our risk management efforts may not be effective. We could incur substantial losses and our business operations could be disrupted if we are unable to effectively identify, manage, monitor, and mitigate financial risks, such as pricing risk, interest rate risk, liquidity risk, and other market-related risks, as well as operational and legal risks related to our business, assets, and liabilities. We also are subject to various laws, regulations and rules that are not industry specific, including employment laws related to employee hiring and termination practices, health and safety laws, environmental laws and other federal, state and local laws, regulations and rules in the jurisdictions in which we operate. Our risk management policies, procedures, and techniques may not be sufficient to identify all of the risks to which we are exposed, mitigate the risks we have identified, or identify additional risks to which we may become subject in the future. Expansion of our business activities may also result in our being exposed to risks to which we have not previously been exposed or may increase our exposure to certain types of risks, and we may not effectively identify, manage, monitor, and mitigate these risks as our business activities change or increase. We are from time to time involved in, or may in the future be subject to, claims, suits, government investigations, and other proceedings that may result in adverse outcomes. We are from time to time involved in, or may in the future be subject to, claims, suits, government investigations, and proceedings arising from our business, including actions with respect to intellectual property, privacy, consumer protection, information security, our mortgage services, real estate, environmental, data protection or law enforcement matters, tax matters, labor and employment, and commercial claims, as well as actions involving content generated by our customers, shareholder derivative actions, purported class action lawsuits, and other matters. Such claims, suits, government investigations, and proceedings are inherently uncertain, and their results cannot be predicted with certainty. Regardless of the outcome, any such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, negative publicity and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties, or sanctions, as well as judgments, consent decrees, or orders preventing us from offering certain features, functionalities, products, or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results and financial condition. Our business could be negatively impacted by corporate citizenship and ESG matters, different points of view regarding such matters, and/or our reporting of such matters. Certain institutional, individual, and other investors, proxy advisory services, regulatory authorities, consumers, and other stakeholders are focused on ESG practices of companies. For example, various groups produce ESG scores or ratings based at least in part on a company's ESG disclosures, and certain market participants, including institutional investors and capital providers, use such ratings to assess companies' ESG profiles. Simultaneously, there are efforts by some stakeholders to reduce companies' efforts on certain ESG-related matters. Both advocates and opponents to ESG matters are increasingly resorting to a range of activism forms, including media campaigns, shareholder proposals and litigation, to advance their perspectives. To the extent we are subject to such activism, it may require us to incur costs or otherwise adversely impact our business. There are also increasing and evolving regulatory expectations regarding ESG matters. For example California has passed legislation that requires reporting on climate related financial risks and greenhouse gas emissions, as well as disclosures regarding use of offsets and emissions reduction claims, some of which are currently subject to legal challenges. Similar legislation has been proposed elsewhere including in the state of New York, and other regulators or lawmakers may propose new climate or ESG-related regulations from time to time. Conversely, other jurisdictions have considered adopting laws seeking to limit the use of ESG initiatives in certain contexts. Compliance with various and potentially fragmented disclosure rules may be costly and subject us to criticism by regulators, investors, the media or other stakeholders for the accuracy, adequacy or completeness of potential ESG disclosures and could adversely impact our reputation and financial position. As we look to respond to evolving standards for identifying, measuring, and reporting ESG information, our efforts may result in a significant increase in costs and may nevertheless not meet investor or other stakeholder expectations and evolving standards or regulatory requirements. For example, actions or statements that we may take based on expectations, assumptions, or third-party information that we currently believe to be reasonable may subsequently be determined to be erroneous or not in keeping with best practice. If we fail to, or are perceived to fail to, comply with or advance certain ESG initiatives (including the manner in which we complete such initiatives), we may be subject to various adverse impacts, including to our financial results, our reputation, our ability to attract or retain employees, our attractiveness as a service provider, investment, or business partner, or expose us to government enforcement actions, private litigation, and actions by stockholders or stakeholders. Additionally, many of our business partners and suppliers may be subject to similar expectations, which may augment or create additional risks, including risks that may not be known to us. 46 TABLE OF CONTENTS OPENDOOR TECHNOLOGIES INC. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of our critical systems and information. Our program is designed to align with relevant legal requirements and draws upon widely accepted security frameworks and practices. We take an integrated , organization-wide approach to evaluating and addressing cybersecurity risks, incorporating these considerations alongside other enterprise risks such as regulatory, financial, and operational concerns. Key elements of our program include, but are not limited to, the following: - processes designed to identify, assess, and prioritize cybersecurity threats to our critical systems and information; - technical controls and processes intended to detect and remediate weaknesses in our systems and software; - the use of third-party service providers , where appropriate, to assist with aspects of our program; - evaluation of key service providers based on our assessment of their criticality to our operations and respective risk profile, for example, through due diligence, contractual protections, and periodic review; - practices designed to safeguard personal information and maintain compliance with data protection requirements; - ongoing monitoring capabilities to detect and evaluate potential security threats; and - a cybersecurity incident response plan that includes documented procedures for responding to, containing, and recovering from cybersecurity events. We have experienced a number of cybersecurity incidents in the past, which we do not believe to be material, regularly experience cybersecurity attempts, and expect that we will continue to experience varying degrees of cybersecurity attempts and incidents in the future. To date, we have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. However, there can be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with or effective in protecting our systems and information. See " Item 1A. Risk Factors " for additional discussion regarding the risks we face from cybersecurity threats. Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit and Risk Committee (the "Committee") oversight of cybersecurity and other information technology risks. The Committee oversees management's implementation of our cybersecurity risk management program. The Committee receives updates at least annually from our Vice President of Engineering or his designees and management on our cybersecurity risk management and strategy, including, as applicable, progress towards our risk-mitigation goals, results from third-party assessments, and the emerging threat landscape. In addition, management updates the Committee, where it deems appropriate, regarding cybersecurity incidents it considers significant. The Committee reports to the full Board regarding its activities, including those related to cybersecurity and, will, from time to time, brief the full Board on our cybersecurity risk management program. From time to time, our Committee members receive presentations on cybersecurity topics from our internal or external experts as part of its continuing education on topics that impact public companies. Our Vice President of Engineering, in coordination with our internal security staff, is responsible for assessing and managing our material risks from cybersecurity threats, and has primary responsibility for our overall cybersecurity risk management program and supervising both our internal cybersecurity personnel and our retained external cybersecurity consultants. 47 TABLE OF CONTENTS OPENDOOR TECHNOLOGIES INC. Our Vice President of Engineering, who possesses a 13-year track record in product development and engineering, six years of which consist of overseeing technology, including the oversight of information security systems, reports directly to our Chief Executive Officer. This extensive experience spans both public and private companies. Our Vice President of Engineering takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, and alerts and reports produced by security tools deployed in the IT environment, such as regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises.
Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of our critical systems and information. Our program is designed to align with relevant legal requirements and draws upon widely accepted security frameworks and practices. We take an integrated , organization-wide approach to evaluating and addressing cybersecurity risks, incorporating these considerations alongside other enterprise risks such as regulatory, financial, and operational concerns. Key elements of our program include, but are not limited to, the following: - processes designed to identify, assess, and prioritize cybersecurity threats to our critical systems and information; - technical controls and processes intended to detect and remediate weaknesses in our systems and software; - the use of third-party service providers , where appropriate, to assist with aspects of our program; - evaluation of key service providers based on our assessment of their criticality to our operations and respective risk profile, for example, through due diligence, contractual protections, and periodic review; - practices designed to safeguard personal information and maintain compliance with data protection requirements; - ongoing monitoring capabilities to detect and evaluate potential security threats; and - a cybersecurity incident response plan that includes documented procedures for responding to, containing, and recovering from cybersecurity events. We have experienced a number of cybersecurity incidents in the past, which we do not believe to be material, regularly experience cybersecurity attempts, and expect that we will continue to experience varying degrees of cybersecurity attempts and incidents in the future. To date, we have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. However, there can be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with or effective in protecting our systems and information. See " Item 1A. Risk Factors " for additional discussion regarding the risks we face from cybersecurity threats. Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit and Risk Committee (the "Committee") oversight of cybersecurity and other information technology risks. The Committee oversees management's implementation of our cybersecurity risk management program. The Committee receives updates at least annually from our Vice President of Engineering or his designees and management on our cybersecurity risk management and strategy, including, as applicable, progress towards our risk-mitigation goals, results from third-party assessments, and the emerging threat landscape. In addition, management updates the Committee, where it deems appropriate, regarding cybersecurity incidents it considers significant. The Committee reports to the full Board regarding its activities, including those related to cybersecurity and, will, from time to time, brief the full Board on our cybersecurity risk management program. From time to time, our Committee members receive presentations on cybersecurity topics from our internal or external experts as part of its continuing education on topics that impact public companies. Our Vice President of Engineering, in coordination with our internal security staff, is responsible for assessing and managing our material risks from cybersecurity threats, and has primary responsibility for our overall cybersecurity risk management program and supervising both our internal cybersecurity personnel and our retained external cybersecurity consultants. 47 TABLE OF CONTENTS OPENDOOR TECHNOLOGIES INC. Our Vice President of Engineering, who possesses a 13-year track record in product development and engineering, six years of which consist of overseeing technology, including the oversight of information security systems, reports directly to our Chief Executive Officer. This extensive experience spans both public and private companies. Our Vice President of Engineering takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, and alerts and reports produced by security tools deployed in the IT environment, such as regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises.

Company Information