Clear Secure, Inc. - (YOU)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
CLEAR’s information security program is managed by a dedicated Chief Information Security Officer (“CISO”), whose team is responsible for leading the Company’s Enterprise Risk Management Program (“ERM Program”), which includes cybersecurity strategy, policy, standards, architecture, and processes. Our current CISO, together with his team, continues to implement, monitor, and maintain our cybersecurity program while we search for his successor. Cybersecurity risks are identified, discussed and assessed regularly as part of CLEAR’s ERM Program. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, penetration tests and threat intelligence feeds. We utilize a range of external experts, such as cybersecurity assessors, consultants and auditors, in evaluating and testing our cybersecurity systems. In addition, the Company has established the CLEAR Security Advisory Board, which provides guidance and advice on security risk and privacy to our Board and our CISO.
41
The Audit Committee of the Board predominantly oversees risk, including data security and oversight of cybersecurity risks, providing regular updates to the Board. The CISO provides periodic reports to our Board and Audit Committee, as well as our Chief Executive Officer and other members of our senior management as appropriate. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. In addition, the top 10 cybersecurity risks identified as part of the ERM Program are identified to our Audit Committee on a quarterly basis.
Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.