MERCADOLIBRE INC 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

MERCADOLIBRE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:05:31 EST.

Filings

10-K filed on 2026-02-25

MERCADOLIBRE INC filed a 10-K at 2026-02-25 16:05:31 EST
Accession Number: 0001099590-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats, including risks relating to disruption of technology infrastructure and business operations, intellectual property theft, fraud, harm to employees or customers, violation of privacy laws and confidentiality, other litigation and legal risks, and reputational risk, as part of our overall risk management principles and processes. Our risk management framework includes several security pillars, including data security, identity management, cloud security, infrastructure security, application security, incident response, and cybersecurity risk management. 35 | MercadoLibre, Inc. T able of Contents We conduct annual International Organization for Standardization Information Security Management Systems ("ISMS") Requirements ("ISO/IEC 27001") reviews and Payment Card Industry Data Security Standard ("PCI-DSS") reviews of our payment information security controls with the assistance of an external certified auditor. Our cybersecurity risk management processes incorporate frameworks aligned with recognized cybersecurity and cyber risk established frameworks. Our cybersecurity model is based on four criteria: (i) "Zero Trust" (e.g. a model based on continuous validation of users and devices), (ii) analysis of abnormal or unusual behavior, (iii) automatic response, and (iv) decentralization. Our cybersecurity risk strategy aligns risks, initiatives and controls, consisting of initiatives and projects designed to identify, evaluate, control and monitor cybersecurity risks and incidents. Our data security and privacy strategy focuses on discovery, minimization, detection, response, standardization and awareness. Our incident response strategy is based on best practices, focusing on proactive and automatic response, preparation and prevention, detection and analysis, containment, eradication, recovery and post-incident activity. We have also implemented a security risk management policy that provides guidance on how to identify, analyze, and optimize risk management and subsequent risk mitigation. We have processes in place to assess, identify, manage, and address cybersecurity threats and incidents. These include, among other things: mandatory trainings and drills on social engineering, phishing and ransomware attacks for all our employees; tabletop exercises for employees of the information security team; cybersecurity events in which management and/or certain employees participate and/or organize; ransomware prevention and phishing controls allowing for automatic and timely detection and response; and penetration testing, red team exercises and a bug bounty program to help us evaluate the effectiveness of our information security processes and improve our security measures and planning. We also have teams in place to oversee and manage our cybersecurity risk management processes, including: (i) an information security team, organized around our various services and products, responsible for day-to-day cybersecurity matters related to the respective services and products; (ii) a risk committee that is comprised of members of management and oversees the Company's financial and non-financial risks, including cybersecurity risks, as described in more detail below under the heading "Governance"; and (iii) internal local, corporate and strategic crisis management teams that form part of our crisis management framework. Our risk management framework includes processes to manage cybersecurity risks associated with AI, such as enhanced governance of AI-related traffic, expanded automated scanning and blocking capabilities, and the building of comprehensive inventories that support continuous monitoring. We also deploy cross-ecosystem protections-including prompt-injection defenses, confidentiality controls for conversations and sensitive data, a strong focus in agentic identity management to ensure secure authentication and authorization across AI-driven interactions, and dedicated initiatives to identify and mitigate shadow AI usage across the organization. Our risk management framework also includes processes to manage cybersecurity risks associated with third parties, including, a third-party risk management program that focuses on identifying security and data privacy risks arising out of our interactions with critical third-party suppliers and payment methods, and a program focused on assessing risks arising in mergers and acquisitions transactions. Additionally, we have procedures in place to block high-risk providers, minimize sensitive access paths, and automate key evaluations. Together, these measures are intended to reduce the likelihood and impact of AI-related cybersecurity incidents while enabling the safe and responsible use of AI across the organization. In connection with our cybersecurity risk management processes, while we do not regularly engage assessors, consultants, auditors, or other third parties to assess, identify, and manage material risks from cybersecurity threats, we do involve such parties if there has been a cybersecurity incident that we believe requires an assessment by a third party. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. In the last fiscal three years, we have not experienced any material information security breach incidents and the expenses we have incurred from information security breach incidents were immaterial. See "Risk Factors" in Item 1A of this Annual Report on Form 10-K for more information on our cybersecurity-related risks. Governance Management The cybersecurity risk management processes described above are managed by our Cybersecurity VP under the supervision of the risk committee. Our risk committee is comprised of the Chief Financial Officer, Commerce President, Fintech President and the Heads of Corporate Affairs, Risk & Compliance, Data Privacy, Information Security, AML & Sanctions, Legal & Government Relations, Commerce Product Development, Fintech Product Development and IT Infrastructure. The primary purpose of the risk committee is to assist management and the board, either directly or indirectly through the board's Audit Committee, with their oversight of the Company's financial and non-financial risks, including cybersecurity risks. Our Cybersecurity VP and certain other members of our risk committee are skilled in technology, security and/or risk and compliance. Our Cybersecurity VP is a certified information systems security professional (CISSP) with over 25 years of experience in cybersecurity, information security governance, technology and operational risk management, and fraud prevention. He holds a degree in computer engineering and has led large, geographically distributed security and technology organizations across Latin America. His background spans multiple industries, including e-commerce, fintech, logistics and digital services, where he has designed and implemented enterprise cybersecurity strategies, cloud security programs, incident response capabilities and risk-based control frameworks. He also played a foundational role in establishing and scaling the Company's cybersecurity function, contributing to the development of its governance model and the expansion of its regional security operations. 36 | MercadoLibre, Inc. T able of Contents As part of our cybersecurity risk management processes, our Cybersecurity VP presents security risk matters to the risk committee on an as-necessary basis and to the Audit Committee annually and on an as-necessary basis. The risk committee also meets quarterly and presents to management the status, evolution and main indicators of each principal security risk, although information security may not be deemed a risk in each particular quarter. In the event of a critical cybersecurity incident, the Company's crisis management framework activates the cross-functional crisis management team, which, depending on the circumstances, is comprised of the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Commerce President, Fintech President, Corporate Affairs Executive VP, Marketing Executive VP and the Cybersecurity VP. This group works with the incident response team to help to evaluate, contain, eradicate and, if necessary, recover from the incident. The Company's cybersecurity processes are formally evaluated by the Cybersecurity VP on an annual basis, which includes updating the Company's cybersecurity policy, security risk management policy and methodology, and classification of information. Board of directors Our full board of directors provide ultimate oversight for the cybersecurity program, in addition to other significant risks of the Company. The board of directors has delegated primary oversight of cybersecurity risks and threats to the Audit Committee. The Audit Committee supervises the Company's risk management framework, including the policies and procedures used to identify, assess, measure, and manage both current and potential cybersecurity risks. On an annual basis-and whenever circumstances require-management and/or members of the Risk Committee brief the Audit Committee on cybersecurity matters, including any material risks. These updates cover the nature and evolution of cybersecurity risks, as well as initiatives aimed at strengthening and optimizing cybersecurity processes. In the event of a specific cybersecurity incident, these briefings also provide details on the incident's status, the stakeholders informed, and the remediation actions underway.

Company Information