ThredUp Inc. - (TDUP)

10-K Filing Date: March 04, 2024
Item 1C. Cybersecurity
ThredUp uses, stores and processes data for and about our customers, employees, partners and suppliers. We have implemented a cybersecurity risk management program that is designed to identify, assess, and mitigate risks from cybersecurity threats to this data, our systems and business operations.
Cyber Risk Management and Strategy
Under the oversight of the Board of Directors and Audit Committee, we have implemented and maintain a risk management program that includes processes for the systematic identification, assessment, management, and treatment of cybersecurity risks. Our cybersecurity oversight and operational processes are integrated into our overall risk management processes, and cybersecurity is one of our designated risk categories. We use the National Institute of Standards and Technology Cybersecurity Framework to guide our approach, ensuring a structured and comprehensive strategy for managing cybersecurity risks. We implement a risk-based approach to the management of cyber threats, supported by cybersecurity technologies, including automated tools, designed to monitor, identify, and address cybersecurity risks. In support of this approach, our Information Security team implements processes to assess, identify, and manage security risks to the company, including in the pillar areas of security and compliance, application security, infrastructure security, and data privacy. This process includes regular compliance and critical system access reviews. In addition, we conduct application security assessments, vulnerability management, penetration testing, security audits, and ongoing risk assessments as part of our risk management process. We also maintain an incident response plan to guide our processes in the event of an incident. We also have a process to require corporate employees to undertake cybersecurity training and compliance programs annually.
We utilize third parties and consultants to assist in the identification and assessment of risks, including to support tabletop exercises and to conduct security testing.
Further, we have processes in place to evaluate potential risks from cybersecurity threats associated with our use of third-party service providers that will have access to Company data, including a review process for such providers’ cybersecurity practices, risk assessments, contractual requirements, and system monitoring.
We continue to evaluate and enhance our systems, controls, and processes where possible, including in response to actual or perceived threats specific to us or experienced by other companies.
Although risks from cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats to and breaches of our and our third-party vendors’ data and systems. For more information, please see Item 1A. Risk Factors the section titled “Risk Factors—Risks Relating to Information Technology, Intellectual Property, Data Security and Privacy—Compromises of our data security could cause us to incur unexpected expenses and may materially harm our reputation and results of operations.”
Risk Management Oversight and Governance
The Board of Directors has oversight of the Company’s cybersecurity program and has delegated the quarterly assessments and management of cybersecurity risks to the Audit Committee.
Our Vice President of Engineering, Product and Platform oversees our information security program and leads our information security team. Our Vice President of Engineering, Product and Platform works closely with our Head of Internal Audit, in furtherance of the management of risks to the Company. The Vice President of Engineering, Product and Platform has primary responsibility for assessing and managing our cybersecurity threat management program, informed by over twenty years of experience leading cross-functional organizations in the development and operation of large-scale systems, primarily focused on e-commerce.
The Head of Internal Audit reports to the Chair of the Audit Committee and has twelve years of experience with internal audit oversight and risk management. The Head of Internal Audit and the Chief Operating Officer have overall responsibility for the Company-wide risk management program.
42

Table of Contents
Our Vice President of Engineering, Product and Platform reports quarterly to the Audit Committee of the Board of Directors on the information security program and related cyber risks. The Head of Internal Audit and the Chief Operating Officer provide an annual update to the Board of Directors on the Company’s overall risk management strategy, which includes addressing cybersecurity risks. We have also established a Cyber Incident Disclosure Committee, which is responsible for assessing the impact and materiality on the Company and its stakeholders of any significant cybersecurity incidents and any disclosure obligations arising from any such incidents, as applicable. The findings of any incidents by the Cyber Incident Disclosure Committee are reported to the Audit Committee by the Vice President of Engineering, Product and Platform.