Marqeta, Inc. - (MQ)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity

Our industry is subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations. While we have not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. See Item 1A, “Risk Factors,” in this Annual Report on Form 10-K, including the section titled “Risk Factors—Risks Relating to Regulation” for additional information regarding the risks related to cybersecurity threats.
Our Chief Information Security Officer (“CISO”) is responsible for Marqeta’s information security posture and cybersecurity program. We believe our CISO is qualified to assess and manage our material risks from cybersecurity threats based on 15 years of cybersecurity and risk management expertise as a security and risk management leader at various public and private companies and as a cyber threat intelligence analyst for a branch of the United States military. Our CISO reports to our Chief Product and Technology Officer and oversees a team of cybersecurity professionals in areas including Governance, Risk, and Compliance, Product and Infrastructure Security, Security Operations, and Identity Security.
Our cybersecurity program is designed to align with certain industry standards and best practices, such as ISO 27001 and the National Institute of Standards and Technology Cybersecurity Framework. We have a Cyber Incident Response Plan which defines roles and responsibilities in the event of a cybersecurity incident, as well as the processes for keeping the CISO, senior management, and the board of directors informed about the prevention, detection, mitigation, and remediation of cybersecurity incidents.
Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through the audit committee. Our CISO provides quarterly and as-needed briefings to the audit committee regarding cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, and activities of third party consultants. Our audit committee provides quarterly and as-needed updates to the board of directors on such reports and management provides annual and as-needed updates to the board of directors regarding our cybersecurity program.
We have policies and processes in place for assessing, identifying, and managing material cybersecurity risks, and integrate these processes into our overall risk management systems. We conduct periodic risk assessments to identify reasonably foreseeable internal and external cybersecurity risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we develop strategies, policies, standards, and action plans to minimize identified risks and reasonably address any identified gaps in existing safeguards. These steps include vulnerability management, shift-left secure product design, data encryption, endpoint security, network security, limiting and authorizing access controls, and multi-factor authentication for access to systems with data. We also employ system monitoring, logging, and alerting to retain and analyze the security state of our corporate and production infrastructure. As part of our overall risk management system, all employees are required to complete annual cybersecurity training and relevant employees are trained at least annually on applicable safeguards.
We engage consultants in connection with our risk assessment processes to help us design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We manage third party service providers using a risk-based approach intended to determine if the relevant third parties have the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of their security measures that may affect our business.
The maturation and scaling of our cybersecurity program is ongoing and despite our investments in our cybersecurity program, there will always be residual risk and the potential for control failure or bypass by a determined cyber threat actor.
43