TheRealReal, Inc. - (REAL)
10-K Filing Date: March 01, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have developed processes for assessing, identifying and managing material risks from cybersecurity threats. We review our security plans and strategies as threats and conditions evolve. The following is a summary of our cybersecurity risk management and strategy processes:
Enterprise Risk Management: Our enterprise risk management program includes management of material risks from cybersecurity threats alongside other Company risks as part of our overall risk assessment process. In 2023, our Internal Audit team completed an Enterprise Risk Assessment to identify and prioritize the most critical risks that could impact our ability to achieve our business priorities and make risk-informed strategic decisions. With management’s input, our Board and Internal Audit team have identified cybersecurity as one of the risks that merits the highest level of prioritization. Informed by this designation, our Internal Audit team tracks cybersecurity key indicators and engages in discussions on the status, priorities and impact of cybersecurity risk response plans; reports key information to management throughout the year to inform decision making; and reports to the Audit Committee on a quarterly basis and to the full Board on the results and progress of the risk mitigation process.
In addition, we employ a range of tools and services to inform our assessment, identification and management of material risks from cybersecurity threats, which include from time to time:
•monitoring emerging data protection laws, including the California Consumer Privacy Act and the General Data Protection Regulation, and implementing responsive changes to our processes;
•undertaking periodic reviews of our policies and statements related to cybersecurity;
•conducting cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data;
•conducting phishing email simulations for employees and contractors with access to corporate email systems;
•requiring employees, as well as third-parties who provide services on our behalf, to treat information and data with care; and
•conducting tabletop exercises to simulate a response to a cybersecurity incident and using the findings to improve our processes and technologies.
Incident Response Team and Outside Resources: We have formed an Incident Response Team that monitors and mitigates material risks from cybersecurity threats. This team is composed of members from the information security, engineering and legal teams. The Incident Response Team and our internal legal team work in tandem to estimate the severity and materiality of a cybersecurity incident, create a response plan and inform other stakeholders as appropriate, including the Audit Committee or the full Board. In addition, we engage several third party service providers to monitor cybersecurity threats in the market more broadly, including in relation to phishing, data leaks on the dark web, firewalls, code security and endpoint protection. To identify risks from cybersecurity threats associated with these third-party service providers, we conduct pre-contract screening and due diligence and post-contract monitoring.
Cybersecurity Task Force: We have formed a cross-functional Cybersecurity Task Force that focuses on long-term cybersecurity strategy. The Cybersecurity Task Force is composed of members from the information security, engineering and legal teams and reports to our Chief Technology and Product Officer. The Cybersecurity Task Force meets periodically to discuss developments and best practices in cybersecurity incident response. In addition, the Cybersecurity Task Force reviews the business impact and severity of potential cybersecurity incidents, as reported by our automated systems, utilization of the bug bounty program, and public reports on the threat landscape.
30
For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including our business strategy and results of operations, see “Risk Factors – Risks Related to Data Security, Privacy and Fraud,” which are incorporated by reference into this Item 1C.
In the three most recently completed fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none.
Corporate Governance
Our Board of Directors provides oversight of risks from cybersecurity threats, in coordination with our Audit Committee and management team. The following is a summary of our governance processes related to cybersecurity risk management:
Board: Our full Board receives biannual updates on cybersecurity from our Chief Technology and Product Officer (the “CTPO”) or head of cybersecurity (the “CISO”) to, among other items, review cybersecurity incidents, review key metrics on our cybersecurity program and related risk management programs, and discuss our cybersecurity programs and goals. Our Board also regularly reviews cyber-related risks as part of our enterprise risk management program on a quarterly basis and receives updates from our Internal Audit team on the results of the risk monitoring and mitigation process, as described in more detail above.
Audit Committee: Our Audit Committee provides additional oversight of material risks from cybersecurity threats and engages with our CTPO or CISO regarding risk management of cybersecurity issues and to discuss potential updates to the Company’s cybersecurity risk management program, including as a result of any Cybersecurity Task Force findings. The Audit Committee receives a quarterly report from the Company’s cybersecurity team, which includes the CTPO, CISO, and members of the information security team, that summarizes progress on cyber-related key performance indicators, including product security, cloud security, risk and compliance, identity issues, and cyber defense. The Audit Committee updates the full Board on matters relating to material cybersecurity risks at least quarterly.
Management: Our CTPO is responsible for assessing and managing the Company’s material risks from cybersecurity threats, and our CISO reports directly to our CTPO regarding such threats. Our CTPO is informed about and monitors the prevention, detection, mitigation and remediation or cybersecurity incidents through the management of and participation in the Company’s Internal Audit team, Incident Response Team and Cybersecurity Task Force, as described above. As discussed above, our CTPO or CISO reports biannually to the full Board and quarterly to the Audit Committee about risks from cybersecurity threats among other cybersecurity related matters. To the extent a material cybersecurity incident occurs, our CTPO and broader management team would inform the chair of our Audit Committee of the nature, scope and impact of the incident, and involve the other members of the Audit Committee or the full Board as necessary to evaluate the risks and determine next steps. Our CTPO has served in this role since 2023 and has more than 20 years of experience in various senior leadership roles involving managing cybersecurity and compliance teams, including as Head of Tech and Digital at Lovevery and as Chief Technology and Product Officer at Zulilly.