Compass, Inc. - (COMP)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.
Overview of Cybersecurity Risk Management Program

Cybersecurity is an ongoing priority, and we remain focused on our obligation to assess, identify and manage risks from cybersecurity threats and cybersecurity incidents. We have developed and implemented a cybersecurity risk management program that employs a multitude of measures and processes that aid in these efforts. This program is designed to protect our information systems, detect cybersecurity threats and ensure our compliance with applicable privacy and cybersecurity laws.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program and is considered an integral part of our overall risk assessment process. For example, we report, review and consider results and findings from external and internal security and privacy assessments as part of our overall risk assessment process, and we analyze how cybersecurity risks interplay with operational, financial, compliance and reputational risks.
As part of our cybersecurity risk management program, we undertake various activities, including, but not limited to, detective, preventative, and automated controls; user access controls; a centralized security information and management system; periodic assessments, including penetration testing; periodic trainings and simulations; and policies for the handling of personally identifiable information. We closely monitor the privacy and cybersecurity laws and regulations and conduct related reviews of our policies. We have implemented incident response plans providing for response, containment, reporting and disclosure and recovery, including providing training and remediation steps for internal threats. We also carry customary cybersecurity risk insurance.
30


In addition, we use third party service providers, when appropriate, to assess, test or otherwise assist with certain aspects of our cybersecurity risk management program. For example, we leverage external assessors such as security researchers and penetration testers to identify vulnerabilities in our information systems.

Further, our cybersecurity risk management program includes processes that address cybersecurity risks associated with our use of third-party services providers that have access to our information systems and/or employee, agent or agent client confidential information. For example, we perform certain due diligence before engaging third-party service providers and consider potential cybersecurity risks and exposures in our choice among providers. We also generally require our third-party service providers that could potentially introduce cybersecurity risks to our information systems or sensitive consumer personal information to contractually agree to maintain a cybersecurity risk management program aimed at mitigating those risks and be subject to external cybersecurity audits.

Cybersecurity Risk Management Program Assessments and Risks Associated With Cybersecurity Threats

While we have assessed our cybersecurity risk management program periodically in the past, in the second half of 2023, we started to utilize a leading industry cybersecurity framework in our assessments. Specifically, we use this framework to assess our cybersecurity controls against industry best practices in the areas of: identify and protect assets, detect and respond to suspicious activity, as well as recover from cybersecurity incidents. Based on the results of our initial assessment, we have developed a multi-year plan that allows us to focus on the highest priorities. Under the plan, we are required to make additional investments to enhance our processes and practices over a period of time.

Additionally, as part of our continuous overall cybersecurity posture assessment, we conduct incident simulations based on recent public cybersecurity incidents, incorporating the tactics, techniques and procedures threat actors have used when targeting organizations. We leverage results from these simulations to take corrective action or otherwise augment our abilities to defend and protect our information systems.

While we have been subject to a number of cybersecurity threats and experienced non-material incidents in the past, they have not had a material adverse effect on our business, financial condition or results of operations. Our third party services providers have been also subject to a number of cybersecurity threats and incidents but to date, none of those threats and incidents have had a materially adverse effect on our business, financial condition or results of operations.

Cybersecurity Governance

Our Information Security team oversees our cybersecurity risk management program, which is described in more detail above. In conjunction with the Company’s in-house legal team, this team is principally responsible for managing our cybersecurity risk assessment processes, our security controls, and our response to cybersecurity threats and incidents. Our Information Security team is segmented into six subteams and includes a dedicated Governance, Risk and Compliance subteam that is responsible for risk assessment, risk mitigation strategies, regulatory compliance, audits, internal governance and policy enforcement.

We have also established a Security and Privacy Committee (“Committee”), co-chaired by our Senior Vice President, Head of Engineering and General Counsel, that meets monthly. This Committee is responsible for setting cybersecurity policies, strategies, and priorities, as well as ensuring that cybersecurity initiatives are aligned with the Company’s objectives. Members of the Committee may, from time to time, include representatives from security and compliance, internal audit, legal, product, engineering, finance, operations, strategy and people and culture functions. In addition to the monthly communications at the Committee level, our Information Security team collaborates with senior leadership across our organization on a regular basis as part of the Company’s overall enterprise risk management program.

Our Chief Information Security Officer (“CISO”) recently left the Company and we are in the process of recruiting a new, permanent CISO. We have engaged a temporary third-party CISO (sometimes referred to as a “Virtual CISO”) to oversee the cybersecurity risk management program and assist the Information Security team. Our Virtual CISO has over 20 years of experience working in the Information Security field, and is a Certified Information Systems Security Professional. Specifically, she has experience managing and administering enterprise infrastructure, network communications, and information security. Our Virtual CISO receives regular reports from the Information Security team and will provide advice to the team with incident responses, execute any remediation plans, assist with drafting policy, and perform industry standard simulations and security assessments. The Virtual CISO reports to our Senior Vice President and Head of Engineering.

Our Virtual CISO will report quarterly to the Audit Committee of the Board of Directors (“the “Audit Committee”), which is responsible for overseeing the Company’s cybersecurity risk management program and cybersecurity risks. As part of
31

that report, our Virtual CISO is expected to cover topics such as (i) an overview of our overall cybersecurity strategy and posture, (ii) results and recommendations from cybersecurity risk assessments and audits, (iii) vulnerabilities in our information systems, (iv) progress towards pre-determined risk-mitigation goals, (v) identified and potential cybersecurity risks and threats, (vi) cybersecurity incidents of certain impact in accordance with the Company’s cybersecurity policies, and (vii) programs related to mitigation of cybersecurity risks and potential threats, among other things. The Audit Committee reports to the full Board of Directors regarding its activities, including reports that it receives from our CISO.

Once hired, we expect our permanent CISO to continue strengthening our information security posture, assist with incident response and any remediation plans, and provide quarterly reports to the Audit Committee, as we transition from using a Virtual CISO.