Oportun Financial Corp - (OPRT)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Our cybersecurity risk management process is aligned with our enterprise risk management framework and policy. This allows us to assess, identify, and manage material risks arising from cybersecurity threats. As part of our integrated approach to risk management, and to help safeguard the confidentiality, integrity and availability of our data and systems, we maintain a comprehensive cybersecurity program that is comprised of administrative and technical controls, cybersecurity, technology and privacy policies and procedures, management oversight, accountability structures, and technology design processes (collectively, our "Cybersecurity Program").

We monitor our environment using tools designed to detect security events on an ongoing basis and we engage with third parties to audit our information security program and to perform regular penetration tests of our applications and infrastructure environments. In addition, our third-party risk management program oversees and identifies service provider risks through pre-onboarding security evaluations, ongoing monitoring, and conducting regular reassessments, with an emphasis on those service providers that have access to our systems or networks or that receive or store non-public information. Any risks identified by or to us through these activities are reported in an internal risk register and actively managed. We work to remain vigilant with respect to new and emerging risks utilizing these tools, and our security team continues to review and make strategic investments in our information security program in support of our efforts to keep our data and systems secure.

The Cybersecurity Program includes a cyber incident response plan that provides controls and procedures designed to enable swift response, remediation, and timely and accurate reporting of any material cybersecurity incident.

We also maintain an internally staffed cybersecurity operation center, which performs security monitoring and is directly responsible for our efforts to monitor, prevent, and detect cybersecurity incidents, as well as for appropriate and timely escalations concerning cybersecurity incidents that are discovered. Under our Cybersecurity Program, identified cybersecurity events and incidents are reported to our dedicated incident response team, which includes various members of our legal and compliance teams, cybersecurity team, relevant business teams, executive management, and, as warranted, our third-party security, audit, and consulting partners. Our program also retains an external third-party firm to activate as a supplement in the event of a significant security incident.

To promote organization-wide attention to cybersecurity issues, we conduct mandatory employee training on cybersecurity and provide ongoing cybersecurity education and awareness, such as mock phishing attacks, incident simulations, and cybersecurity awareness materials.

Governance

As delegated by our Board, the Audit and Risk Committee of the Board is responsible for oversight of our risk management process and framework which is designed to monitor and manage strategic and operational risks, including cybersecurity risk. Our senior management, including our Chief Information Security Officer (CISO), is responsible for oversight of our Cybersecurity Program, and maintains responsibility for the regular assessment and management of cybersecurity risks, including by direct work implementing the Cybersecurity Program and by supervising our cybersecurity team. Our Cybersecurity Program is further supported by our cybersecurity governance, risk and compliance team, which is led by our CISO, and is composed of experienced and skilled personnel who are responsible for our security assurance, risk and operational management. Our CISO has over 24 years of experience in cybersecurity, business leadership, investigations, compliance, and cyber-risk management, within the high-tech and financial services industries.

Our CISO provides the Audit and Risk Committee with no less than quarterly updates on the status of the Cybersecurity Program, information systems and any material security incidents, or more frequently if circumstances warrant, including on topics related to information security, data privacy and cyber risks and mitigation strategies.

Like most technology companies, we have suffered cybersecurity incidents in the past, and expect that we may face cybersecurity incidents in the future. As of the date of this report on Form 10-K, however, we have not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. For additional information about the cybersecurity risks that we face, please see the discussion in Item 1A. “Risk Factors in this annual report on Form 10-K, including the risk factor entitled “Business, Financial and Operational Risks; Security breaches and incidents may harm our reputation, adversely affect our results of operations, and expose us to liability.”


36