SoFi Technologies, Inc. - (SOFI)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Cyber Risk Management and Strategy
At SoFi, we recognize the importance of information security practices designed to protect the confidentiality, integrity, and availability of company information and the personal information that our customers share with us. Using guidance set forth in our Enterprise Risk Management program, we have implemented a cybersecurity risk management program to lead and support the management of information security risks in accordance with our risk profile and business strategy, which is informed by recognized industry standards and frameworks, such as International Organization for Standardization 27002:2013. For additional guidance, we also refer to the National Institute of Standards and Technology Cybersecurity Framework, Payment Card Industry Data Security Standard, Federal Financial Institutions Examination Council information security guidelines, and Center of Internet Security controls.
Our cybersecurity risk management program includes a number of components, designed to identify, analyze, and respond to cybersecurity risks, including reliance on a layered system of preventative and detective technologies, controls, and policies designed to detect, mitigate, and contain cybersecurity threats. Information security program risk assessments and third party attestations and assessments are conducted periodically by both internal and external resources. We leverage qualified third-party security assessors to identify vulnerabilities through both internal and external penetration tests and perform internal cybersecurity maturity assessments. In addition, our internal audit team conducts an information security and information technology audit on an annual basis. We are also subject to examinations by applicable regulators. We conduct cybersecurity awareness training for personnel upon hire and on a periodic basis thereafter, which includes phishing training campaigns.
As part of our cybersecurity risk management program, SoFi maintains a formal Third-Party Security Risk Management program that provides oversight of cybersecurity risks related to supplier relationships. During supplier onboarding, we perform risk-based due diligence for suppliers with access to confidential SoFi information or that require technical integration with SoFi systems. This program includes the provision of a cybersecurity risk assessment to these suppliers during onboarding as well as ongoing monitoring, assessment, and contract review.
We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For more information on risks to us from cybersecurity threats, see “Cyberattacks and other security breaches could have an adverse effect on our business, harm our reputation and expose us to liability and adversely affect our ability to collect payments and maintain accurate accounts. Efforts to prevent and respond to these attacks and breaches are costly” in Part I, Item 1A. “Risk FactorsInformation Technology and Data Risks”.
Governance Related to Cybersecurity Risks
The Board of Directors has overall responsibility for risk oversight and has delegated oversight of our cybersecurity program to the Risk Committee, which is comprised of a minimum of three Board members. The Risk Committee is responsible for the information technology and cybersecurity function at the Company. Relevant duties include, but are not limited to, annually reviewing the cybersecurity program roadmap and materials related to significant planned projects and budgeted costs and approving the cybersecurity program. The Risk Committee meets at least four times each year and discusses cybersecurity risk management as relevant and applicable.
Our CISO has primary responsibility for assessing and managing our cybersecurity program. The CISO has served in this role at SoFi for three years and has over twenty years of experience working in senior leadership positions in the



82

SoFi Technologies, Inc.
S
cybersecurity industry. He previously served as the CISO at leading software and data analytics companies and co-founded a cybersecurity company. The CISO provides cybersecurity updates, including risks and threats to the Risk Committee as appropriate, on a quarterly basis.