YELP INC - (YELP)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Computer viruses, malware, phishing attacks, denial-of-service attacks and similar cybersecurity threats present a common and constantly evolving risk in our industry. Accordingly, we have incorporated the assessment and management of material risks from cybersecurity threats into our overall risk management process. Our Engineering Security team, which is primarily responsible for identifying, assessing and managing material risks from cybersecurity threats, works with our Chief Technology Officer and other members of management to prioritize our cybersecurity risk management processes and mitigate cybersecurity threats that are most likely to materially impact our business. Our Chief Technology Officer and members of the Engineering Security team regularly report to the Audit Committee of our Board (the “Audit Committee”), which oversees our efforts to monitor and control cybersecurity risk, as discussed further below.
We have implemented and maintain various information security measures, processes, standards and policies, as applicable, designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, as well as the data of our users, customers, partners and employees (“Information Systems and Data”):
•Risk Identification and Assessment. The Engineering Security team identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s risk profile using various internal resources as well as third-party products and services. For example, depending on the environment, system and data, we use manual and automated tools, including third-party cybersecurity software; subscription reports and services from threat intelligence service providers; scans of the threat environment; audits; and threat assessments.
•Risk Management. Depending on the environment, systems and data, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data. These include, as applicable to specific environments, systems and data, our Security Incident Response Plan, our Vulnerability Management Policy, data encryption, network security controls and data segregation.
•Vendor Management. We also have a vendor management program to manage cybersecurity risks associated with our use of third-party service providers, such as AWS, Oracle and Workday, to perform various functions throughout our business. The program includes risk assessments, security questionnaires and security assessment calls with vendors’ security personnel as appropriate. Depending on the nature of the services provided, the characteristics of the affected Information Systems and Data, and the identity of the provider, our process may involve different levels of assessment designed to help identify cybersecurity risks associated with the provider and imposing contractual obligations related to cybersecurity on the provider.
•Employee Engagement and Education. In addition to the processes and practices described above, we work to empower employees to recognize and respond to cybersecurity risks. For example, we regularly host hackathons, which encourage our Product and Engineering teams to collaborate to test creative ideas, including for security solutions. In addition to keeping employees informed about cybersecurity best practices throughout the year, our IT and Engineering Security teams host “Hacktober” each October to promote security awareness in honor of National Cyber Security Awareness Month. Hacktober consists of activities such as weekly trivia challenges to help educate employees about how they can securely access corporate systems, recognize and report phishing email attempts, and take other actions to protect Yelp. To test employee readiness, these teams also send simulated phishing emails that direct employees to additional training if they engage with the email contents.
At this time, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations or financial condition. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see the section titled “Risk Factors—If our security measures are compromised, or if our platform is subject to attacks that degrade or deny the ability of users to access our content, users may curtail or stop use of our platform.”
40
Governance
Our Board oversees the Company’s aggregate risk profile and risk management process. The Board administers this oversight function with respect to cybersecurity risks through the Audit Committee, which is responsible for overseeing the Company’s cybersecurity risk management processes, including the steps our management has taken to monitor and control cybersecurity risks.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Technology Officer, our Vice President of Engineering Security and our Director of Engineering Security. Each of these individuals has extensive industry experience developed through a significant career in engineering, IT and systems management, and security, respectively. Our Chief Technology Officer received a B.A. in Computing and Artificial Intelligence, and his experience includes the development of intrusion detection and firewall functionality for products at a global technology company. Our Vice President of Engineering Security received an M.S. in Business Analytics, with a focus on Computer and Information Systems, and her experience includes more than 15 years in systems management and administration at a major U.S. financial institution. Our Director of Engineering Security received an M.S. in Telecommunications Networks with a specialization in Security, is a Certified Information Systems Security Professional, and has more than 15 years of experience building security programs, including building and leading the incident response team at a global software company.
Our Chief Technology Officer is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy and communicating key priorities to relevant personnel. Our Chief Technology Officer is also responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our Director of Engineering Security works with our Chief Technology Officer and Vice President of Engineering Security to develop a cybersecurity strategy that aligns with our business strategy and is responsible for implementing that strategy through his leadership of the day-to-day operations of our Engineering Security team.
Our Vulnerability Management Policy and Security Incident Response Plan are designed to escalate certain cybersecurity vulnerabilities and incidents, respectively, to members of management depending on the circumstances, including the Vice President, Director and other members of the Engineering Security team. Our Security Incident Response Plan also provides for escalations to our General Counsel and other members of the Legal team, as well as for notification of our Chief Technology Officer. The Engineering Security team and other members of management work with the incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified.
Our Chief Technology Officer and members of the Engineering Security team typically meet twice annually with the Audit Committee to review the Company’s significant cybersecurity threats and risks, as well as the processes the Company has implemented to address them. The Chair of the Audit Committee, in turn, reports to the full Board.