Life360, Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Life360, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 16:11:27 EST.

Filings

10-K filed on 2026-03-02

Life360, Inc. filed a 10-K at 2026-03-02 16:11:27 EST
Accession Number: 0001581760-26-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We take a layered approach to cybersecurity and leverage multiple levels of controls designed to mitigate and minimize cybersecurity risks and protect the confidentiality, integrity, and availability of our critical systems and information. We have established and implemented policies and processes designed to assess, identify, and manage risks from cybersecurity threats, including those related to our products and SaaS security, and have integrated these activities into our operating model and enterprise risk management processes. We monitor for, and assess, material risks from cybersecurity threats such as unauthorized occurrences or events on or conducted through our information systems that may result in adverse effects to the confidentiality, integrity, or availability of our information systems or information, including personal information, proprietary information, and intellectual property. Identification and Assessment To identify and assess risk, we maintain a cybersecurity risk register that is reviewed regularly and updated as appropriate. These risk assessments include identification of reasonably foreseeable internal and external risks, consideration of our use of third-party service providers and vendors, the likelihood and potential damages that could result from such risks (to the extent known), and the potential sufficiency of existing mitigating policies, procedures, systems, and safeguards. Risk is scored based on the potential impact to the business (inherent risk) and re-scored based on mitigations in place (residual risk). Following this assessment, we determine opportunities to further mitigate identified risks, including potential changes to controls and processes. Risk Mitigation We implement and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats, including those related to our products and SaaS security. These measures include monitoring our information systems, networks, and devices for potential threats, managing vulnerabilities, and updating systems and tools to address identified risks or emerging threat vectors. Changes to material systems are governed by our change management processes, and we evaluate certain systems for potential vulnerabilities on a periodic basis. We also maintain processes designed to control access to material systems, which are reviewed and updated as appropriate. We also use third-party service providers, some of which incorporate machine-learning or AI capabilities, to assist in detecting anomalous activity and identifying potential cybersecurity threats. As part of our product development and operational practices, we incorporate security reviews intended to identify and mitigate potential risks in our products and services. These reviews may include penetration testing, secure development practices, and the use of automated tools to help identify potential vulnerabilities. Vendor Management In providing our products and services, we use third-party vendors and applications extensively. We onboard material vendors through a vendor review process, which includes a security assessment, and evaluate certifications and testing as relevant. Vendors are reviewed periodically to assess compliance and related cybersecurity risk. Additional Information For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to "Item 1A. Risk Factors" in this annual report on Form 10-K. To date, we have not identified cybersecurity incidents that have materially affected our business strategy, results of operations, or financial condition. However, cybersecurity threats continue to evolve and future incidents could be material. Threat actors are also increasingly leveraging AI to enhance phishing, social engineering, and attack automation. Governance Responsibilities of the Board of Directors Our Board provides oversight of our risk management process, including risks from cybersecurity threats. Our Board is responsible for monitoring and assessing strategic risk exposure and the mitigation and remediation of cybersecurity incidents, and our executive officers (including our Chief Executive Officer and Chief Financial Officer) are responsible for the day-to-day management of the material risks we face, including cybersecurity risks. Our Board administers its cybersecurity risk oversight function as a whole, as well as through the Audit Committee ("AC"). Our corporate information security team informs the Board and AC of certain cybersecurity risks and threats during quarterly meetings and provides materials shared in connection with such meetings, as well as ad hoc updates when there are material developments or changes that may impact cybersecurity risk to the company. Refer to "Item 10. Directors, Executive Officers and Corporate Governance" section of this Annual Report for additional information regarding the AC and other committees of the Board as well as the AC charter. Responsibilities of Management Our corporate information security team, reporting to our Chief Technology Officer , is primarily responsible for assessing and managing material risks from cybersecurity threats, defining and overseeing our corporate security program, reviewing technical designs and vendors for security risks, and managing our security tools and infrastructure. The team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology systems environment, including those described in "Item 1C. Cybersecurity - Risk Management and Strategy." Our corporate information security team provides frequent briefings to management regarding the Company's cyber security risks and risk-mitigation efforts, which may include recent incidents and related responses, newly identified risks, changes to the security program, and activities of third parties and vendors, as appropriate. Management provides cybersecurity updates to executive management and the Board through meetings and materials shared in connection with those meetings, as well as ad hoc updates when there are material developments or changes. Incident Response Procedures We maintain cybersecurity incident response procedures designed to identify, assess, escalate, and remediate cybersecurity incidents. These procedures include processes for evaluating the nature and potential impact of an incident, determining whether disclosure or regulatory reporting is required, and coordinating response efforts across relevant internal teams and external specialists, as appropriate. Significant cybersecurity incidents are reported to senior management and, when appropriate, to the Board of Directors or the AC.
Item 1C. Cybersecurity - Risk Management and Strategy." Our corporate information security team provides frequent briefings to management regarding the Company's cyber security risks and risk-mitigation efforts, which may include recent incidents and related responses, newly identified risks, changes to the security program, and activities of third parties and vendors, as appropriate. Management provides cybersecurity updates to executive management and the Board through meetings and materials shared in connection with those meetings, as well as ad hoc updates when there are material developments or changes. Incident Response Procedures We maintain cybersecurity incident response procedures designed to identify, assess, escalate, and remediate cybersecurity incidents. These procedures include processes for evaluating the nature and potential impact of an incident, determining whether disclosure or regulatory reporting is required, and coordinating response efforts across relevant internal teams and external specialists, as appropriate. Significant cybersecurity incidents are reported to senior management and, when appropriate, to the Board of Directors or the AC.

Company Information