ContextLogic Holdings Inc. 10-K Cybersecurity GRC - 2026-03-05

Page last updated on March 5, 2026

ContextLogic Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-05 16:20:56 EST.

Filings

10-K filed on 2026-03-05

ContextLogic Holdings Inc. filed a 10-K at 2026-03-05 16:20:56 EST
Accession Number: 0001193125-26-094012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Our Company recognizes the importance of maintaining the safety and security of our critical systems, information, and broader information technology environment. We have developed a comprehensive cyber, data governance, and privacy program intended to (i) protect the confidentiality, integrity, and availability of our information systems and data, and (ii) assess, identify, and manage material risks associated with cybersecurity threats. Our cybersecurity program is consistent with the National Institute of Standards and Technology ("NIST") Cybersecurity Framework ("CSF") 2.0, incorporating the core functions of governance, identification, protection, detection, response, and recovery as an integrated approach to cybersecurity risk management supporting enterprise-wide risk management objectives. Since the acquisition of US Salt, our Company has initiated various cybersecurity, governance, and privacy assessments, focused on operational continuity and managing the new industry risk landscape. As we integrate US Salt into our cyber, data governance, and privacy program, we will continue to adhere to our Company's integrated approach to cybersecurity risk management, while also focusing on those threats specific to US Salt and the mining and manufacturing sectors. In order to protect Company data and any other data we manage or handle, we have adopted a number of safeguards and security measures. For example, we have implemented software-as-a-service firewalls, endpoint protection, detection and response solutions, intrusion detection systems, access controls including multi-factor authentication, vulnerability scanning, email security and threat protection, data loss prevention, device management and remote wipe capabilities, software static analysis, dynamic analysis, cloud monitoring and threat analytics, third-party independent business continuity testing, and independent third-party control audits. In addition, we have implemented several policies and programs to improve compliance and reduce risk, ensure appropriate responses in the event of an incident, and reduce the cost and scope of an incident should it occur, including: - a robust Incident Response Policy ("IRP"), - an Information Technology and Information Security Policy ("IT & IS Policy"), - a data governance program to oversee our Records Retention Policy, - a Data Governance Working Group comprised of legal, finance, human resources, and third-party privacy and data governance consultants to review policies, programs, and data governance, and make reports and recommendations to management and the Board, - mandatory cyber and information security training for all employees, and - cybersecurity insurance designed to reduce the risk of loss resulting from cybersecurity incidents Our IRP, in conjunction with the IT & IS Policy, is designed to equip our employees and managers with the necessary tools to detect, respond to, and ultimately prevent cybersecurity incidents. It contains detailed processes and procedures to assist employees in managing cybersecurity incidents when they happen, including techniques for detecting and identifying suspicious activity in our data environment, response and escalation protocols to defend against intrusions and contain any potential data leakage, enhanced forensic evidence preservation procedures aligned with NIST guidance for system state and cloud environment preservation, data preservation measures to ensure data integrity going forward, and remediation steps to diagnose root causes and secure gaps to prevent future attacks. The Incident Response Team ("IRT") coordinates and aligns key resources and team members during a security incident to minimize impact, restore operations as quickly as possible, and assess and fulfill the Company's legal and contractual obligations. The IRT is also responsible for centrally managing internal and external communications to ensure that disclosures are accurate and complete. The IRT is led by our Chief Compliance Officer, legal team, and Cybersecurity Response Leader, and is supported by a multi-tier team comprised of key stakeholders across the business including finance, HR, our dedicated IT managed service provider, and other external response partners, including cybersecurity consultants, cybersecurity insurance providers, and outside legal counsel. The IRT and external response partners operate under the supervision of our executive management team with oversight from the Audit Committee of our Board. Finally, the IRP is also supported by a full curriculum of training for employees that is drafted and administered under the supervision of our Chief Compliance Officer. Importantly, these training sessions include several modules and quizzes for both technical and non-technical employees to assist our employees in comprehensively understanding the importance of data security to our stakeholders and our business and the various ways they can promote a security environment 55 throughout our company. We conduct monthly phishing simulations and quarterly targeted campaigns, with annual cybersecurity training required for all personnel. Risk Management and Strategy Incident Response Lifecycle - Assessing and Responding to Cyber Incidents Our IRP sets forth the Company's process for assessing cyber threats. The IRP serves as the incident response plan to effectively manage, mitigate, and contain the risk of a security incident or data breach and it applies to all ContextLogic personnel, including employees, contractors, consultants, and any other individuals acting for or on behalf of the Company. The IRP incident response lifecycle is comprised of four phases: (1) Preparation, (2) Detection and Analysis, (3) Incident Response, Investigation, and Notification, and (4) Post-Incident Analysis and Lessons Learned. The preparation phase of our IRP includes maintaining protective measures to minimize the likelihood and impact of a security incident, regularly reviewing and updating our policies and procedures to maintain alignment with industry standards and guidance, and periodic training of all Company personnel on information security, data privacy, and the procedures for reporting suspected incidents. The detection and analysis phase addresses the responsibility of Company personnel to notify our IRT Leader and IT managed service provider upon noticing, suspecting, or being notified of any actual or suspected security incident, which will prompt our IT provider to perform an initial investigation of the issue and determine whether the event is a security incident and whether the Cybersecurity Response Leader needs to be notified. The incident response, investigation, and notification phase of our IRP addresses the distinct but simultaneous workstreams that occur internally once an event has been determined to be a security incident. This includes technical response such as forensic evidence collection and preservation, following NIST-guided procedures, threat containment and eradication, and system and data restoration. Additionally, incident investigation efforts begin to determine the scope and severity of the security incident with legal and finance stakeholders. If appropriate, further measures are taken to comply with disclosure obligations as required by governance guidelines, committee charters, and applicable laws and contracts. We maintain comprehensive tracking systems for technical response activities, partner engagement, and legal notification timelines to ensure regulatory compliance. The post-incident analysis phase includes evaluating the internal security policies, preparedness, posture, and technical environment, allowing the Company to conduct a holistic assessment and identify and remediate shortcomings and gaps. Evaluation As part of our IRP, we conduct regular testing to ensure that the IRP is functional and effective. Tests may include tabletop exercises, verbal walkthroughs with relevant stakeholders, or responses to actual security incidents. We conduct annual tabletop exercises with external cybersecurity partners to stress test our incident response plans and assess team coordination. Our most recent exercise was conducted in the fourth quarter of 2025 with our cybersecurity insurance carrier, simulating a sophisticated ransomware attack. This exercise validated the effectiveness of our response protocols and identified improvement areas that were implemented within 30 days. We also engage third-party services from time to time to conduct evaluations of our security controls, including the IRP, whether through business continuity testing, vulnerability assessments performed semi-annually, or consulting on best practices to address new challenges and risks. Security patches on business applications and security software are updated at least monthly, with critical patches applied upon release. Data Protection and Backup Ecosystem We maintain a three-tier backup strategy for critical Company data to ensure data availability and resilience: primary backup through Microsoft 365 Cloud Backup for Exchange, OneDrive, and SharePoint; secondary backup through a cloud-based SaaS data protection platform with AES-256 bit encryption; and tertiary backup using network-attached storage with backup software providing physical redundancy. Supply Chain and Third-Party Risk Management 56 Consistent with NIST CSF 2.0 guidance, we implement supply chain cybersecurity risk management through comprehensive vendor risk assessments for all technology vendors, annual security reviews for critical vendors and those of financial significance pursuant to Sarbanes-Oxley requirements, contractual requirements for cybersecurity standards compliance, and incident notification requirements defined in vendor agreements. We verify software integrity through cryptographic signatures and impose secure development lifecycle requirements for custom software vendors. Artificial Intelligence Considerations We recognize that artificial intelligence ("AI") technologies present both opportunities and risks in the cybersecurity landscape. AI and machine learning capabilities may enhance both the ability of companies to defend against cybersecurity threats and the capacity of threat actors to launch sophisticated attacks, including through AI-enabled phishing attempts, automated vulnerability scanning, and generation of malicious code. Our risk assessment processes include evaluation of AI-related cybersecurity risks, and our vendor risk management program includes comprehensive security and compliance assessments of any AI tools being considered for business use. We assess AI tools for data protection capabilities, contractual safeguards, audit rights, and suitability for handling confidential information. Our IT&IS Policy addresses the use of AI tools and requires that data input into these tools adhere to Company policies, with any unauthorized data input without express written approval strictly prohibited. Risk Assessment and Program Updates Recognizing the evolving nature of cybersecurity threats, including those related to emerging technologies such as AI, we conduct comprehensive data and system security risk assessments at least annually, with more frequent assessments for new technologies and high-risk scenarios. Our risk assessment process covers identification of cybersecurity governance risks, protection of Company networks and information, risks associated with fund transfer requests, vendor and third-party risks including AI tool providers, and detection of unauthorized activity. Following each assessment, we implement necessary action items, identify and remediate areas of high risk, ensure previously identified high-risk areas are addressed, and integrate changes into our policies and procedures. Board and Management Oversight The Company's management is involved in overseeing our cyber, data governance, and privacy program as members of our Data Governance Working Group, and assessing security incidents with the IRT to the extent discussed in the IRP above. The Board and Audit Committee actively oversee our enterprise risk management, including cybersecurity risks, and are notified and updated on any security incidents on a regular basis. The Audit Committee is responsible for overseeing our cyber, data governance, and privacy program and receives regular updates from management and the IRT leader about the Company's ongoing compliance and risk management, and reports to the Board regularly. The Audit Committee receives quarterly reports on cybersecurity metrics, risk posture, incident response activities, and program updates. Our Chief Compliance Officer leads our overall cybersecurity governance and compliance efforts, coordinates incident response activities, oversees policy development and updates, and serves as the primary liaison between management, the Board, and external response partners. Cybersecurity Threat Disclosure To date, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us.

Company Information