Chime Financial, Inc. 10-K Cybersecurity GRC - 2026-03-06

Page last updated on March 6, 2026

Chime Financial, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-06 19:16:37 EST.

Filings

10-K filed on 2026-03-06

Chime Financial, Inc. filed a 10-K at 2026-03-06 19:16:37 EST
Accession Number: 0001795586-26-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. While no organization can eliminate cybersecurity risk entirely, these processes are designed to identify, assess, and manage cybersecurity risks. We assess risks from cybersecurity threats, including potential unauthorized occurrences on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or information residing therein. Such assessments are conducted on a periodic and risk-based basis, including at least annually and take into account changes in our business, technology, or threat landscape. We have also implemented a cybersecurity incident response plan that includes procedures for assessing, managing, and otherwise responding to cybersecurity incidents. We conduct periodic risk assessments to identify cybersecurity threats, including in connection with material changes to our business practices that may affect our information systems. These risk assessments include consideration of reasonably foreseeable internal and external risks, the potential impact of such risks, and the sufficiency of existing safeguards in place to manage such risks. Following these risk assessments, we may implement or modify reasonable safeguards to address identified risks, as appropriate, and monitor the effectiveness of such safeguards. Decisions regarding the nature and timing of any actions are informed by risk considerations and operational factors. We designate senior personnel, including our Chief Security Officer and Chief Information Officer ("CISO"), to oversee aspects of the risk assessment and mitigation process. These efforts are coordinated with other functions, including technology, risk management, legal, and compliance, as appropriate. As part of our overall risk management system, we provide cybersecurity awareness training to our employees. Personnel at all levels and departments are made aware of our cybersecurity policies through trainings. We may require additional or more tailored cybersecurity training for certain employees based on their specific job responsibilities. We may also conduct testing and exercises relating to our safeguards. We engage third-party service providers, including consultants and auditors, from time to time in connection with our risk assessment processes. We also maintain processes to identify and assess cybersecurity risks associated with our use of third-party service providers. As appropriate based on risk, our contracts with certain third-party service providers include provisions relating to information security measures and incident reporting in accordance with contractual requirements and applicable law regarding any suspected breach of security measures that may affect our company. We maintain designated points of contact for third-party service providers to report cybersecurity incidents or suspected security events. To date, we have not experienced cybersecurity incidents that have materially affected our business, strategy, results of operations, or financial condition. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, "Risk Factors," in this Annual Report on Form 10-K. Governance One of the key functions of our board of directors ("Board") is oversight of our risk management process, including risks from cybersecurity threats. The Board's role is one of oversight, while management is responsible for the day-to-day management of cybersecurity risks. Our Board retains ultimate oversight responsibility for our risk management framework, including risks from cybersecurity threats, and has delegated primary oversight of cybersecurity risk matters to the Audit and Risk Committee ("Audit Committee"). Members of the Audit Committee receive periodic updates from management, including from our CISO, regarding cybersecurity risks, as appropriate. 67 Our CISO is responsible for overseeing our information security program and for assessing and managing material cybersecurity risks, in coordination with relevant internal teams. Our CISO has experience in information security and related fields, including leadership roles overseeing security programs for complex, regulated technology environments. We have a cybersecurity incident response team and a cybersecurity incident response plan that outlines the roles and responsibilities of key personnel, including representatives from relevant functions that may be involved in responding to, remediating and escalating such incidents. The involvement of particular personnel may vary depending on the nature and severity of an incident. Our CISO oversees our cybersecurity policies and processes, including those described in "Risk Management and Strategy" above. Our CISO provides information to the Audit Committee regarding our company's cybersecurity risks and activities, including recent cybersecurity incidents and related responses, as appropriate. The Audit Committee, in turn, reports to the Board regarding its cybersecurity oversight activities as appropriate.

Company Information