Robinhood Markets, Inc. - (HOOD)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
We rely on technology, including the internet and mobile services, to conduct much of our business activity and allow our customers to conduct financial transactions on our platform. As a result, our systems and operations as well as those of the third parties on which we rely to conduct certain key functions are vulnerable to cybersecurity incidents, which we have experienced in the past. We have a cybersecurity program that includes physical, technological, and administrative controls to detect, contain, respond to and remediate cybersecurity threats and incidents and defined processes to assess, identify and manage material risks from cybersecurity threats. These controls and processes include, among others:
maintaining a vulnerability management program that performs regular vulnerability scans and relies on our risk-based information security program to promote coverage of critical areas;
establishing an offensive security team that actively tests our security controls, imitating methods persons trying to achieve unauthorized access might use to identify any weaknesses;
our global privacy program supported by our privacy engineering and privacy legal teams and the Privacy Advisory Council, a cross functional team of senior leaders from legal, engineering, product, and compliance;
maintaining an incident response plan which includes required responses in the event of a cybersecurity incident;
conducting mandatory annual security and privacy training for all employees and contractors and, where appropriate, giving employees and contractors role-based training focused on content specific to their role at the Company;
undertaking an annual review of our consumer facing policies and statements related to cybersecurity;
requiring employees to treat customer information and data with care through policy, practice and contract (as applicable);
75

leveraging the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; and
carrying information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident.
Our cybersecurity program is managed by the Company’s Security and Corporate Engineering organization, which is led by our CSO, who reports directly to the CEO. Currently, our CSO is Erika Dean. Ms. Dean, who joined the Company in 2021, has over twenty years of experience in the security industry. Prior to joining our Company, she held a variety of leadership positions in cybersecurity at Capital One, including as Vice President, Divisional Chief Information Security Officer. Additionally, several of Robinhood’s subsidiaries, including RHC, RHF, and RHS, have a Chief Information Security Officer, who reports to the CSO, and a Risk Operating Committee (“ROC”) that manages risks, including cybersecurity risks, specific to each entity. The Chief Information Security Officers have expertise in cybersecurity, industry and regulatory standards, risk management, and security operations. The Security organization elevates risks to the ROCs where applicable. Our cybersecurity program is aligned with industry standards and best practices, such as the NIST CSF, and we engage third-party consultants annually to conduct a NIST CSF maturity assessment of our cybersecurity program.
We maintain a Third Party Security and Privacy Policy and conduct security reviews of vendors, including for potential fourth-party risks, prior to and during their contracts with Robinhood and require all third-party service providers with access to personal, confidential or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices. Any identified security or privacy risks of doing business with a vendor, including potential fourth-party risks, are highlighted to business owners to help make informed risk-based decisions.
We also engage the assistance of third-party consultants to increase protection of our information and IT systems and network to help secure long-term value for our stakeholders. Services provided by third-party consultants include, but are not limited to: regular assessments to our cybersecurity program including cyber maturity assessments and penetration tests; risk scoring of our critical business partners and vendors; and participating in incident response processes.
Management is responsible for day-to-day risk operations and management processes. Management has established cybersecurity standards to improve the Company’s cybersecurity risk posture and to help define and implement appropriate measures to protect the Company’s systems and data from cyber threats. In addition to our Internal Audit and Compliance functions, the Company has a management ERC, which comprises senior leaders of the Company, including the CEO, CFO, CLO, CSO, Vice President of Risk and Audit, and CBO, among others, and reviews on at least a quarterly basis risks that are escalated by the Company’s ERM function, including cybersecurity risks. ERM maintains a risk taxonomy and a scoring methodology design to ensure risks are elevated in a clear and transparent manner, and further escalates top risks to the Safety Committee, along with planned mitigants and monitoring procedures.
If a cybersecurity incident occurs, incident response procedures are in place to ensure that the occurrence is appropriately reported to the CSO, and business continuity plans are mobilized to minimize disruption to business operations. We have also implemented guidelines to outline communications responsibilities during incidents of all severity levels, including the escalation process for alerting senior management of high severity incidents.
If a significant cybersecurity incident occurs, we will conduct an assessment to determine if it is material to us. If a materiality assessment is required, the CSO will report such an incident to our Materiality Assessment Committee (“MAC”), which consists of the CFO, CLO, and CBO (in addition to the CSO). The MAC will then determine, without unreasonable delay, whether the incident is material to the
76

Company. In making such determination, the MAC may consult with the CEO, other members of the Company’s management, and the Company’s outside professional advisors, in each case, as appropriate. The incident materiality determination will be made by considering all relevant quantitative and qualitative factors, including without limitation: the nature, size and scope of the incident; financial condition; results of operations; litigation or regulatory investigations/actions; the Company’s reputation, and customer and vendor relationships; and competitiveness.
The principal role of our board of directors and the Safety Committee is one of oversight, recognizing that management is responsible for the design, implementation, and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. The Safety Committee reviews management’s exercise of its responsibility to identify, assess, manage, monitor and mitigate material risks not specifically allocated to the board of directors or another of its committees. The Safety Committee has been explicitly assigned the responsibility to oversee risks from cybersecurity threats, among others, and the full board of directors will be notified when the MAC is assessing a cybersecurity incident and informed of any required disclosures. Our board of directors and Safety Committee receive updates on relevant industry developments, threats, and material risks identified as needed each quarter. The board of directors and the Safety Committee also receive updates, including material legal and legislative developments, concerning data privacy and security, the rapidly evolving cybersecurity risk landscape, and the Safety Committee facilitates the board of directors’ oversight responsibilities.
Our systems and those of our customers and third-party service providers have been and might in the future be vulnerable to cybersecurity threats. For more information about risks related to cybersecurity threats, including previous cybersecurity incidents (including the November 2021 Data Security Incident (defined below)), that have materially affected or are reasonably likely to materially affect our business, financial condition, and results of operations, see “Risk Factors–Our business could be materially and adversely affected by a cybersecurity breach or other cybersecurity incident involving our information systems or data or those of our customers or third-party or fourth-party service providers.”