StubHub Holdings, Inc. 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 5, 2026

StubHub Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 18:17:03 EST.

Filings

10-K filed on 2026-03-04

StubHub Holdings, Inc. filed a 10-K at 2026-03-04 18:17:03 EST
Accession Number: 0001628280-26-014844

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain an Information Security Program that includes policies and processes intended to address cybersecurity related risks. The program is designed to support the identification, assessment, mitigation, and monitoring of cybersecurity threats that could affect our information systems and data. The program draws on elements of the National Institute of Standards and Technology ("NIST") Cybersecurity Framework and various regulatory and industry standards, including PCI DSS, SOX, GDPR, and CCPA, among others; however, we do not represent that our program meets any specific standard or that our controls align with all aspects of any such framework. Oversight of our Information Security Program is provided by our Information Security Team, with executive oversight from our Chief Technology Officer ("CTO"), and support from our Governance, Risk, and Compliance ("GRC") Team. Our cybersecurity risk management processes are integrated into our broader enterprise risk management activities, and are considered in connection with operational, financial, and strategic decision-making. Key components of our cybersecurity risk management activities include, but are not limited to, the following: - Risk and Control Reviews: We conduct periodic reviews of cybersecurity risks and evaluate our controls based on internal assessments and, where appropriate, guidance from applicable frameworks and external advisors. These assessments help inform our prioritization of cybersecurity risk mitigation within our broader enterprise risk management processes. - Detection and Incident Response: We maintain processes intended to detect, investigate, escalate, and respond to cybersecurity incidents. These processes are guided by our Incident Response Plan, which outlines procedures for handling cybersecurity incidents. - Vendor Oversight: Certain vendors and service providers undergo reviews intended to evaluate their security practices, which may include requesting third-party security reports or other documentation. We depend on these third parties to maintain appropriate security measures, and no assurance can be provided that their controls will be adequate or effective. - Technology and Cloud Environment: We implement controls applicable to our use of cloud-based and hosted environments. Responsibilities vary based on contractual and technical arrangements with third-party providers. - Use of Artificial Intelligence: Implementation of artificial intelligence technologies within our business operations is subject to review by designated internal teams, including our Information Security, GRC, AI, and Legal teams. - Program Evaluation: We periodically assess certain aspects of our Information Security Program through internal activities and engagements with external advisors, which may include vulnerability assessments, penetration testing, or other exercises. We also engage external auditors to conduct an annual PCI DSS assessment of our cardholder environment. - External Advisors: We engage external advisors, where appropriate, to assess, test or otherwise assist with aspects of our security processes. Like many companies, we are subject to ongoing attempts to access, disrupt, or misuse our systems and data. Our controls and processes are intended to reduce the likelihood and impact of cybersecurity incidents, but no cybersecurity program is capable of eliminating all risks, and future incidents could materially affect us. We have not identified risks from known cybersecurity threats, including prior cybersecurity incidents, that have materially affected us . However, cybersecurity threats continue to evolve, and such threats, if realized, could materially affect our business, operations, or financial condition. Cybersecurity Governance The Board of Directors oversees our enterprise risk management processes, which include risks associated with cybersecurity. The Audit Committee assists the Board in this oversight. Our CTO and leaders within our Information Security and GRC teams, are responsible for assessing and managing cybersecurity risk on a day-to-day basis. Our Information Security and GRC teams report to our CTO, who has over 25 years of experience in the technology sector, including more than two decades leading and managing engineering organizations. Supporting our CTO is a cybersecurity leadership team with more than 20 years of combined experience across the technology, consulting, and financial services industries. Collectively, our CTO and cybersecurity team has deep expertise in security engineering, offensive security and threat mitigation, information technology operations, governance, risk management, and regulatory compliance. Our cybersecurity leadership team possesses advanced formal education and industry-recognized credentials in cybersecurity, information technology, and risk management. They are responsible for overseeing our enterprise-wide cybersecurity strategy, risk assessment and remediation efforts, incident response, and compliance programs, and have experience building and leading high-performing teams designed to safeguard complex technology environments against evolving cyber threats. Management remains informed and provides oversight for our ongoing cybersecurity efforts through targeted cybersecurity briefings, participation in strategic business reviews that address technology and cybersecurity risk considerations, and other incident-focused reviews with leaders of our cybersecurity team. Through these structured engagements, management oversees initiatives designed to continuously enhance the effectiveness of our overall cyber-security program by preventing, detecting, mitigating, and remediating cybersecurity threats. Management provides updates to the Audit Committee and the Board on cybersecurity matters, as management deems appropriate, including the nature of developments in the threat environment and other relevant factors.

Company Information