Maplebear Inc. - (CART)
10-K Filing Date: March 05, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have implemented and maintain a cybersecurity risk management program that is designed to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program is integrated with our overall enterprise risk management program and includes the following key elements:
•We perform risk assessments designed to help identify material cybersecurity risks to our critical systems and services, and where appropriate, we engage external experts and consultants to assist us in performing certain of these risk assessments;
•Our cybersecurity team is composed of security and infrastructure engineers and compliance personnel. This team is principally responsible for directing (1) our cybersecurity risk assessment processes, (2) our security processes, and (3) our responses to cybersecurity incidents;
•We use external cybersecurity service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security processes;
•We conduct cybersecurity awareness trainings for employees who have access to our IT systems;
•We maintain a cybersecurity incident response plan and a security operations function so we can respond to cybersecurity incidents; and
•We have implemented a third-party risk management process for key third-party service providers. This includes, among other things, conducting security assessments of key third-party service providers, including prospective third-party service providers, prior to entering into or renewing business transactions with them or providing them access to our data or information systems and imposing contractual restrictions on such providers as appropriate based on their risk profile.
We have not experienced any cybersecurity incidents over the past three years that have materially affected us, including our business strategy, results of operations, or financial condition. For certain risks from cybersecurity threats that may materially affect our business strategy, results of operations, or financial condition, see section titled “Risk Factors – Risks Related to Our Business and Industry - If we or the third parties we rely on experience a compromise to the confidentiality, integrity or availability of systems, or data of our customers, shoppers, partners’, or Instacart, we may experience adverse consequences, including but not limited to regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations; reputational harm, loss of revenue or profits, loss of customers or sales, and other adverse consequences.”
Governance
Our board of directors delegates the cybersecurity risk oversight function to its audit committee. The audit committee oversees management’s design, implementation, and enforcement of our cybersecurity risk management program. Management has overall responsibility for assessing, identifying, and managing material cybersecurity risks.
Our VP of Engineering Infrastructure and our Chief Information Security Officer (“CISO”) lead the Company’s cybersecurity function. Our CISO supervises both our internal cybersecurity personnel and our external cybersecurity service providers. Our CISO has significant global experience in managing and leading IT and cybersecurity teams, with over 20 years of experience in the cybersecurity industry in various positions. Our CISO is a Certified Information Systems Security Professional by the International Information System Security Certification Consortium. Our CISO reports to our VP of Engineering Infrastructure, who has over 18 years of experience in leading software engineering teams in the technology industry, including at Yahoo!.
The audit committee and our risk committee, a management committee overseeing our enterprise risk management program, receive reports from our CISO regarding key cybersecurity risks facing the company, our cyber risk management program, significant cybersecurity incidents involving us or our third-party service providers, and the progress of ongoing
63
initiatives as well as the effectiveness of internal control and compliance mechanisms. The audit committee, in turn, briefs our board of directors on its cybersecurity oversight activities as appropriate or necessary.
Our management team, through our VP of Engineering Infrastructure and CISO, stays informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which include briefings with internal security personnel, review of threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers, and receiving alerts and reports produced by security tools deployed in our IT environment. Our CISO relies on close collaboration with other internal infrastructure, product, and engineering teams to implement our cybersecurity risk mitigation measures.