Frontdoor, Inc. - (FTDR)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

Risk Assessment, Identification and Management Processes

We have implemented a cybersecurity risk management strategy to assess, identify and manage material risks from cybersecurity threats. This strategy is designed to protect our systems, data, and operations from potential cyber threats and to ensure the continuity of our business operations.

We conduct regular risk assessments to identify potential cybersecurity threats. These assessments involve evaluating our systems, networks and data for vulnerabilities that could be exploited by cyber threats, through, among other things, vulnerability scanning and penetration testing. Once risks are identified, we implement measures to manage and mitigate these risks. This includes updating and patching our systems, implementing security controls and monitoring our networks for suspicious activity. We have a process in place to respond to any identified threats, which includes containment, eradication and recovery measures. We also monitor and update our cybersecurity risk management strategy to respond to the evolving cyber threat landscape. This includes staying abreast of the latest cybersecurity threats and trends and updating our systems and processes accordingly.

Integration with Overall Risk Management. Our cybersecurity processes are integrated into our overall enterprise risk management program and business continuity processes. In this regard, we address cybersecurity risks through a comprehensive, cross-functional approach across our technology, legal, compliance, finance, and other teams aimed at preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. This integration helps ensure that the breadth of potential impacts from cybersecurity risks are considered and that our approach to managing these risks is consistent and coordinated across teams within our business. Through our enterprise risk management program, our cybersecurity risk is regularly evaluated, and we regularly report this assessment of our cybersecurity risk to management and to the audit committee of our board of directors. We also periodically review our cybersecurity risk with our entire board of directors.

Engaging Third Parties in Risk Management. We use a combination of internal resources and external assessors, consultants and auditors to conduct our cybersecurity risk assessments and identification. We periodically examine our cybersecurity program with these third parties, evaluating its effectiveness in part by considering industry standards and established frameworks, such as the National Institute of Standards and Technology (NIST), as guidelines, along with compliance with our internal cybersecurity controls. We also work with third parties to assess our incident response preparedness and to manage and track our risks.

Overseeing Risks Associated with Third-Party Service Providers. We have established a third-party risk management program to evaluate new and existing third-party service providers for their security controls and processes; identify cyber risks associated to the third-party service providers requiring remediation tracking; and continuously monitor the cyber risk posture of third-party service providers.

Where appropriate, our contracts with third-party service providers require agreement and adherence to security and privacy requirements, including: the proper access, use, retention and deletion of data; security awareness training; security incident response and breach notification; our rights to security assessment, testing and audits; compliance with laws and industry standards; and system and services requirements. For example, we require our business process outsourcers, which are providers that support certain customer services operations and other services, to complete security awareness training and payment card industry data security standards training.

Risks from Cybersecurity Threats

As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition; however, see Item IA. Risk Factors in Part I of this Annual Report on Form 10-K for a discussion of effects that a cybersecurity threat or incident could have on our business strategy, results of operations or financial condition. We also maintain an incident response plan to respond to any cybersecurity incident. This plan outlines the steps we will take to respond to an incident, including identifying and containing the incident, eradicating the threat, recovering our systems and communicating with relevant stakeholders.

28


 

Board of Directors Oversight of Cybersecurity Risk

Our board of directors is responsible for oversight of our enterprise risk management program, which incorporates cybersecurity risk. The audit committee undertakes primary responsibility for assisting the board of directors in overseeing cybersecurity risk, including policies and procedures for assessing, managing and responding to cybersecurity risk. The audit committee meets with appropriate members of our management team at least quarterly—and third-party assessors, consultants and auditors as needed—to review and discuss cybersecurity risk.

The full board of directors receives quarterly updates from the audit committee on its oversight of cybersecurity risk and engages in further review for the full board of directors from time to time as appropriate.

Management’s Role in Assessing and Managing Material Risks

Our technology team, and particularly our information security team, are actively involved in the development and implementation of policies and tools to assess risk and identify emergent risks, with cross-functional support from enterprise risk management, legal, compliance and finance, among other teams. We have established governance structures to increase the maturity of our cybersecurity program with a governance, risk and compliance approach. This includes the identification of internal weaknesses and the mitigation of IT risks through training programs or new policies and internal controls.

Management is also responsible for the testing of the overall security posture and the documentation of risk management and security for regulatory examinations and for regular review of security and privacy requirements. In addition to our internal cybersecurity team, our company has retained a third-party security firm to aid in the identification, containment, eradication and recovery of systems, data or both in the event of a material security incident.

Risk Management Personnel. Among management, our Chief Technology Officer (“CTO”) and our Chief Information Security Officer (“CISO”) are responsible for leading efforts to assess and manage cybersecurity risks. Our CTO has over 20 years of experience leading technology teams and developing applications and other digital solutions for commerce, incorporating the assessment and management of cybersecurity risk, a Master’s degree in Engineering Management and a Bachelor’s degree in Computer Science. Our CISO has over 20 years of experience assessing and managing cybersecurity risk, including leading information security teams at complex web-based businesses, and has a Master’s degree in Computer Information Systems and multiple professional, cybersecurity and certifications, including CISM, CDPSE, CIPM, CIPT, and PMP.

Monitoring Cybersecurity Incidents. On a daily basis, our information security team monitors, identifies and classifies potential cybersecurity events and is responsible for notifying the CTO and CISO of such events as appropriate based on risk to our organization. Our CTO and CISO are responsible for notifying executive leadership, other functional teams and our audit committee, as appropriate.

Reporting to the Board of Directors. Our CTO and CISO report to the audit committee at least quarterly about the detection, prevention, mitigation and remediation of cybersecurity events, including information about the latest cybersecurity threats, the status of our prevention and detection measures and the effectiveness of our mitigation and remediation efforts, as well as any other cybersecurity risk management activities and the progress of related projects. These briefings include updates on the formalized incident response plan, communications and escalation procedures. Management will apprise the board of directors of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us.