EBAY INC - (EBAY)

10-K Filing Date: February 28, 2024
ITEM 1C: CYBERSECURITY

Risk Management and Strategy

Our approach to risk management is designed to identify, assess, prioritize and manage risk exposures that could affect our ability to execute our corporate strategy and fulfill our business objectives. As part of our comprehensive enterprise risk management (“ERM”) program, we perform risk assessments in which we map and prioritize cybersecurity risks identified through the processes described below, including risks associated with our use of third-party service providers, based on probability, immediacy and potential magnitude. These assessments inform our ERM strategies and oversight processes, and we view cybersecurity risks as one of the key risk categories we face. For example, our information technology and infrastructure may be vulnerable to cyberattacks (including ransomware attacks) or other security incidents, as a result of which unauthorized third parties may be able to access our users’ proprietary information and payment card data that are stored on or accessible through our systems. For more information regarding the cybersecurity-related risks we face, see the information in “Item 1A: Risk Factors” under the caption “Our business is subject to online security risks, including security breaches and cyberattacks.”

Our processes for assessing, identifying and managing cybersecurity risks and vulnerabilities are embedded across our business as part of our ERM program. Among other things, we (i) conduct audits and tests of our information systems (including reviews and assessments by independent third-party advisors) to help identify areas for continued focus and improvement; (ii) review cybersecurity threat information published by government entities and other organizations in which we participate; (iii) provide cybersecurity awareness training for all employees and enhanced training for information security and other specialized personnel; (iv) perform phishing simulation testing of all employees; (v) perform security risk assessments of third-party providers to evaluate controls, mitigations and contractual obligations, as well as reporting obligations in connection with cybersecurity events and other risks that could have an adverse impact on eBay data and information systems; (vi) perform security risk assessments of newly acquired companies as well as material changes to products and technologies and (vii) run tabletop exercises to simulate and test responses to cybersecurity incidents. We also maintain a “bug bounty” program to encourage professional security researchers to report potential security vulnerabilities to us. We use the findings from these and other processes, as well as benchmarking against industry practices, to improve our cybersecurity practices, procedures and technologies. We also have implemented and maintain cybersecurity incident response plans, which include processes to triage, assess, escalate, contain, investigate and remediate cybersecurity incidents, and to comply with potentially applicable legal obligations and mitigate brand and reputational damage. In addition, we maintain insurance to protect against potential losses arising from a cybersecurity incident.

Governance and Oversight

Our ERM program enables our Board of Directors (the “Board”) to establish a mutual understanding with management on the effectiveness of our cybersecurity risk management practices and capabilities, including the division of responsibilities for reviewing our risk exposure and risk tolerance, tracking emerging risks and ensuring proper escalation of certain key risks for periodic review by the Board and its committees. As part of its broader risk oversight activities, the Board oversees risks from cybersecurity threats, both directly and through the Risk Committee of the Board (the “Risk Committee”). As reflected in its charter, the Risk Committee assists the Board in its management of cybersecurity and data management risks and oversees our ERM function and structure, including governance structure and our guidelines and processes for risk assessment and risk management. The Audit Committee of the Board also oversees our audits and tests of our cybersecurity practices and controls, as well as our internal control over financial reporting, including with respect to financial reporting-related information systems.

33

Table of Contents
As an element of its ERM oversight activities, the Risk Committee regularly reviews the results of our enterprise risk assessments, including cybersecurity risk assessments, as well as management's strategies to detect, monitor and manage such risks. The Risk Committee discusses these risks with our Chief Technology Officer (“CTO”) and Chief Information Security Officer (“CISO”) and reports to the Board on the substance of these reviews and discussions. Each year, the Risk Committee also receives “deep dive” reports from our CTO and CISO on cybersecurity and data management risks, and the full Board also discusses cybersecurity risks with our CTO and CISO at least once per year. In addition to these regularly scheduled updates, our CTO and CISO may also report to the Risk Committee or the full Board, as appropriate, on the management of certain cybersecurity risks and progress towards agreed mitigation goals, as well as any potential material risks from cybersecurity threats that have been detected by the information security team.

We maintain an information security policy, which was approved by the Board and delegates to our CISO the authority and responsibility for managing our information security program. Our CISO reports to our CTO and is responsible for day-to-day identification, assessment and management of the cybersecurity risks we face. Along with other senior managers, our CTO and CISO are also responsible for prioritizing cybersecurity risks and developing a culture of risk-aware practices. Existing and emerging cybersecurity risks are reported to and discussed with the CTO and CISO on a regular basis and as needed based on the threat level or severity of an incident.

Our CTO, Mazen Rawashdeh, has served in his role since July 2019 and previously served as our Chief Infrastructure and Architecture Officer since May 2016. Prior to that, he was VP of Infrastructure Engineering and Operations responsible for global infrastructure engineering at Twitter for over four years. He received his BSCS in computer science and mathematics. Our CISO, Sean Embry, has served in his role since August 2015 and previously served as the senior leader responsible for infrastructure and operations engineering at Salesforce for three years. He received his BSBA in management information systems and decision sciences, and his MBA in information technology management.

In accordance with our information security incident response plans, our information security team assesses the severity of any incidents it detects and follows escalation procedures embedded within the plans for upward reporting to the CISO and CTO, other members of management and the Board, each as needed. In addition to the ordinary-course Board and Risk Committee reporting and oversight described above, we also maintain disclosure controls and procedures, including within our cybersecurity incident response plans, designed for analysis of potentially material events covered by our risk management framework, including cybersecurity incidents or threats.