Rubicon Technologies, Inc. - (RBT)

10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity.

 

Cybersecurity, Risk Management, and Strategy

 

Rubicon recognizes the importance of identifying, assessing, and managing risks associated with cybersecurity threats. Rubicon’s approach to risk management starts with assessing the likelihood and impact of a potential or known risk. Rubicon focuses on substantiating each identified risk by classifying its risk rating and residual risk, followed by categorizing the risk with two (2) additional criteria. First, we assess if the risk is related to our overall cybersecurity program, business continuity, privacy compliance, or financial risk. Second, we designate a strategy for each identified risk, including acceptance, avoidance, transference, and mitigation.

 

Rubicon’s cybersecurity program is built around the Service Organization Control Type 2 (SOC 2) standards established by the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA). The cybersecurity program is independently assessed through the SOC 2 audit process. Additionally, we have developed and implemented a Business Continuity Management System (BCMS) which has been certified against the International Organization for Standardization (ISO) 22301:2019 standard. Rubicon’s program encompasses a series of policies and controls to prevent, detect, and respond to threats and incidents. Policies and controls include, but are not limited to, identity access management, employee awareness and training, change management, privacy, continuity and resiliency, incident management, security operations, endpoint security, data classification and handling, and third-party risk management.

 

Additionally, Rubicon employs the use of third-party services to support continuous cybersecurity and network monitoring. Specifically, these third-parties provide managed detection and response, as well as incident response and readiness services. The cybersecurity team manages routine internal auditing, penetration testing, vulnerability scanning, exercising and training, third-party assessments, and policy enforcement.

 

Governance

 

Rubicon’s Board of Directors, through the Audit Committee, is responsible for the independent oversight of Rubicon’s cybersecurity program. The duties and responsibilities of the Audit Committee can be found in the Audit Committee Charter, which is located on our investor relations website. Members of the management team report to the Audit Committee, which reports to the entire Board of Directors about cybersecurity risk at least annually. In addition, in accordance with Rubicon’s incident response procedures, the Board of Directors is informed of any potentially material cybersecurity incidents upon discovery and classification of a cyber incident if the incident meets Priority One Status (“P1”) and has potential for data loss, loss of service(s) greater than that of any defined service level agreement, or may or does require breach notification. All lower level incidents are reported annually, or as needed to the Audit Committee.

 

Rubicon’s cybersecurity program is managed by a dedicated team lead by our Vice President of Cybersecurity, who is responsible for deploying and maintaining cybersecurity operations through the use of people, processes, and technology. Rubicon’s cybersecurity team leverages industry standards and industry-recognized best practices. Any incident, either assumed or actual, is escalated for further review as soon as practicable, and then reported to designated members of the executive leadership team pursuant to Rubicon’s established incident management procedures.

 

Our designated Chief Information Security Officer ("CISO") is responsible for overseeing the performance of our cybersecurity program in partnership with our Chief Executive Officer ("CEO"). Our Vice President of Cybersecurity reports to the CISO. The CISO and CEO receive routine updates regarding current operations, threats, and industry trends. Findings from independent auditors as well as findings from internal audits and any penetration testing are presented to the CISO and CEO and corrective action is prioritized, where applicable.

 

In 2023, Rubicon did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our strategies, operations, or financial condition. Rubicon cannot eliminate all risks from cybersecurity threats or other related risks or provide guarantees or assurances that we have not experienced undetected cybersecurity incidents. To that end, however, we believe cybersecurity is the responsibility of all related parties to our business.