Squarespace, Inc. - (SQSP)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
We address cybersecurity incidents through a multi-layered approach. We have a dedicated staff of security engineers who monitor our internal systems and assets for vulnerabilities and risks. These engineers also conduct security assessments on third party providers before engagement to ensure compliance with our cybersecurity standards. They regularly run security assessments and penetration tests against our infrastructure, testing for security weaknesses and vulnerabilities, in addition to performing threat modeling exercises when building new or materially modifying existing systems, components and platforms to confirm proper protection and handling of data.
When a security event is detected or otherwise identified, the security team initiates an investigation to determine whether the event is considered a cybersecurity incident. Upon identification of a cybersecurity incident, the security team will escalate the incident to the Incident Response Team, an interdisciplinary team made up of engineers who are experts in cybersecurity and/or Squarespace systems as well as members of the Legal team. The Incident Response Team makes a preliminary assessment as to the significance of the cybersecurity incident based on quantitative and qualitative factors. If the Incident Response Team believes that a cybersecurity incident could have a potentially significant impact on our business, the incident is reported to our Risk Management Committee, which consists of our Chief Executive Officer, Chief Financial Officer, General Counsel and a member of the Legal team with responsibility covering cybersecurity risk. The Risk Management Committee oversees the assessment and management of cybersecurity incidents reported to it and cybersecurity incident assessments by the Risk Management Committee will include the involvement of experts from our security, engineering and privacy functions as necessary. Material incidents would be promptly reported to the Audit Committee of our Board of Directors.
Our Audit Committee oversees risks related to data privacy, technology and information security, including cybersecurity, and the steps taken to monitor and control such exposures. Our management team provides the Audit Committee with regular updates on cybersecurity risk. The Audit Committee would also be promptly informed of any material cybersecurity incidents.
To date, the Company has not engaged assessors, consultants, auditors, or other third parties in connection with its processes for assessing, identifying and managing material risks from cybersecurity threats.
To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our business, our business strategy, our results of operations or our financial condition.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under “Item 1A. Risk Factors”.