Coupang, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Coupang, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:23:46 EST.

Company Summary

Coupang, Inc. is a technology and commerce company operating retail e-commerce, restaurant delivery, video streaming, and fintech services (brands include Coupang, Coupang Eats, Coupang Play) and, following its acquisition, the Farfetch luxury marketplace.

Filings

10-K filed on 2026-02-26

Coupang, Inc. filed a 10-K at 2026-02-26 16:23:46 EST
Accession Number: 0001834584-26-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Coupang has a cyber risk management framework designed to identify, assess, and manage cyber related risks. Cyber related risks are identified through regular vulnerability scans, audits, assessments, and incidents. Our vulnerability scanning process uses both automated tools and penetration testing to identify vulnerabilities within our environment . We seek to identify, manage, and reduce the risks and potential vulnerabilities by integrating controls and solutions into information security and technology projects based on severity and priority of the risk or vulnerability. We also employ systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider, customer, or otherwise implicating the third-party technology and systems we use. The Chief Information Security Officer ("CISO"), who has extensive cybersecurity knowledge and skills gained from over 15 years of work experience at the Company and elsewhere, leads our global information security organization responsible for implementing the Coupang information security program. The CISO regularly reviews our cyber strategy, in collaboration with technology leadership, in order to integrate the cyber strategy across the organization. The CISO is updated on cybersecurity threats from experienced information security officers in our security organization on an ongoing basis and in conjunction with management, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Supporting the CISO, is the dedicated information security team, which comprises over 200 individuals. In addition to full-time employees, external consultancy services provide us with certain information security services, as described below, and specialized advice. We conduct annual assessments by certified external third-party assessors as part of our industry-recognized certifications, ISO 27001, 27017, 27701, and ISMS-P. We periodically have external third-party consultants conduct maturity assessments of our information security program. The results of these audits and assessments inform us about possible risks which are managed through our enterprise risk management process. We employ external third-party vendors to provide cyber threat intelligence when relevant information is available or as requested. We also have a program of Cyber Tabletop exercises, run periodically, with key people in our business, to further enhance our capabilities to respond to and recover from a cybersecurity incident. The Coupang executive leadership team provides oversight and guidance on cyber policies, procedures, and strategies. Our Board of Director's role in risk oversight is consistent with our leadership structure, with the executive leadership team having responsibility for assessing and managing risks we face in executing our business plans, and the Board and its committees providing oversight in connection with those efforts. In addition to the full Board, the Audit Committee of the Board plays an important role in the oversight of our enterprise risk assessment and management activities, which identify key risks to our business, including risks related to cybersecurity, data privacy, and regulations, and assesses the Company's strategy to monitor and control such risks. The Audit Committee regularly meets with the CISO to discuss various cybersecurity matters including cyber strategy, cybersecurity risks, controls, results of audits, mitigation strategies, areas of emerging risks, incidents, if any, and industry trends. The Audit Committee provides periodic reports to the full Board regarding cybersecurity matters. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported to the Audit Committee through ongoing updates until resolution. We seek to identify and manage risks from cyber threat intelligence and lessons learned from known cybersecurity incidents with our cyber risk management process and include these within our cyber risk strategy through major information security and technology enhancements and projects. Notwithstanding the measures we have put in place, on November 18, 2025, Coupang Corp. became aware of a data incident involving unauthorized access to customer accounts by a former employee (the "Incident"). Upon discovery, Coupang activated its incident response processes, disabled the method used by the former employee to gain unauthorized access, reported the Incident to the relevant Korean regulatory and law enforcement authorities, warned customers whose data was potentially accessed, and notified the full Board. The Incident involved a former employee who obtained the name, phone number, delivery address, and email address associated with approximately 33 million customer accounts. (None of our customers' banking or financial information, payment card data, login credentials, or government-issued IDs were obtained or otherwise compromised in the Incident). As part of the investigation, this former employee was identified and turned over all known devices used in the Incident. Further, the investigation indicates that the former employee only saved limited data from approximately 3,000 customer accounts, and such saved customer data was deleted without having been shared with a third party or otherwise publicly disclosed. Coupang Corp. announced a customer compensation program to issue approximately $ 1.2 billion worth of vouchers to customers who were notified of the Incident at the end of November 2025 that may be applied towards future Coupang purchases. We may also incur additional expenses including from remediation, regulatory penalties, and litigation. Coupang, Inc. 2025 Form 10-K In response to the Incident, putative securities class actions and a derivative lawsuit were filed on behalf of certain persons who purchased or acquired shares of Coupang Class A common stock. For additional information, see Item 1A. "Risk Factors" and Note 14 - "Commitments and Contingencies" to the consolidated financial statements included in Part II, Item 8. "Financial Statements and Supplementary Data" of this Form 10-K. Our operations were not materially disrupted due to the Incident, however we remain subject to various risks due to the Incident, including potentially material financial losses resulting from the potential loss of revenue and potential higher expenses, including from remediation, regulatory penalties, and litigation. We believe that the Incident has increased and will further increase the Korean government's focus on our business and could result in additional inquiries, enforcement actions, and litigation. We may again in the future be affected by cybersecurity and data security incidents, and such incidents could be material to the Company. See "Item 1A. Risk Factors" in this Form 10-K for additional discussion on the risks of future cyber incidents to our results of operations and financial condition.

Company Information