LendingTree, Inc. - (TREE)

10-K Filing Date: February 29, 2024
ITEM 1C. Cybersecurity
Governance Related to Cybersecurity Risks
Cybersecurity risk oversight is a top priority for management and our board of directors. Management is responsible for the day-to-day management of cybersecurity risks we face, while our board of directors, as a whole and through committees, is responsible for the oversight of risk management.
Our Chief Information Security Officer (“CISO”) is responsible for the assessment and management of cybersecurity risk. The individual currently serving as our CISO has over twenty-five years of experience in cybersecurity, information security, and risk management within the financial services industry. The CISO reports to our Chief Executive Officer (“CEO”) and provides updates to him on a regular basis of any cybersecurity matters.
Our board of directors oversees the management of our risks from cybersecurity threats. The board of directors has delegated the responsibility for the oversight of our cybersecurity risks program to the Audit Committee. The CISO provides cybersecurity updates to our Audit Committee as needed but at least on a quarterly basis covering cybersecurity matters, including a security scorecard, updates on policies, significant incidents or new developments in our cybersecurity risk profile. Our incident response process contemplates that management will notify the audit committee of a material cybersecurity incident.
Cybersecurity Risk Management
Cybersecurity is critical to our ongoing business as a provider of online marketplaces where consumers shop for financial services. Securing our business information, intellectual property, consumer, customer and employee data and technology systems is essential for the continuity of our business, meeting applicable regulatory requirements and maintaining the trust of our stakeholders.
32


To help protect the Company from a major cybersecurity incident that could have a material impact on operations or our financial results, we have implemented policies, procedures, programs and controls, including technology investments that focus on cybersecurity incident prevention, identification and mitigation. The steps we take to reduce our vulnerability to cyberattacks and to mitigate impacts from cybersecurity incidents include but are not limited to: establishing information security policies and standards, implementing information protection processes and technologies, monitoring our information technology systems for cybersecurity threats, assessing cybersecurity risk profiles of key third-parties, engaging third party experts and implementing cybersecurity training for our employees. Our cybersecurity risk management program leverages the National Institute of Standards and Technology (“NIST”) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation.
We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. The team also prepares a monthly cyber scorecard, regularly collects data on cybersecurity threats and risk areas and conducts an annual cybersecurity risk assessment. Further, we conduct periodic external penetration tests to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a cybersecurity program to protect our investors, consumers, customers, employees, vendors, and intellectual property.
Additionally, we follow a cybersecurity incident response process that provides a framework for responding to cybersecurity incidents. The process identifies applicable requirements for incident disclosure and reporting and also provides protocols for incident evaluation, including the use of third-party service providers and partners, processes for notification and internal escalation of information to our senior management, the Board and the audit committee. It also addresses requirements for our external reporting obligations. The cybersecurity incident response process is reviewed and updated, as necessary, under the leadership of the Company’s Chief Information Security Officer (“CISO”) and General Counsel (“GC”).
We face a number of cybersecurity risks in connection with our business. Although we did not experience a material cybersecurity incident during the year ended December 31, 2023, the scope and impact of any future incident cannot be predicted. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, results of operations, or financial condition. See “Item 1A. Risk Factors” for more information on our cybersecurity-related risks.