Matterport, Inc./DE - (MTTR)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Our cybersecurity policies, standards, processes, and practices are fully integrated into the Company’s risk management and incident response program and are based on recognized frameworks established by the National Institute of Standards and Technology (NIST), the American Institute of Certified Public Accountants (AICPA), the International Organization for Standardization (ISO) and other applicable industry standards. We take a multi-layered approach to cybersecurity, continually updating, innovating, and refining our security practices, policies and procedures to mitigate risk, meet new industry standards and address the evolving threat landscape. The overall cybersecurity program is modeled on the NIST Cybersecurity Framework and customized to meet our specific needs.
Governance: Our Board of Directors, in coordination with the Audit Committee, oversees the Company’s risk management process, including the management of risks arising from cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, and ongoing updates regarding any such incident until it has been addressed.
Security Leadership and Function Team: Our Chief Information Officer oversees our Security organization, which is a team of people dedicated to keeping company and personal information and systems safe from unauthorized alteration, disclosure, destruction and intrusion. Our CIO has more than 20 years of extensive information technology and cyber security management experience. Our Security Steering Committee is made up of our Chief Information Officer (CIO), Chief Technology Officer (CTO), members of our Information Security Team, and key individuals depending on the risk being addressed. The Security Steering Committee meets quarterly to review security risks and discuss upcoming priorities. The CIO, in coordination with the Security Steering Committee, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats, lower risk of a cybersecurity incident, and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. We continue to invest in enterprise-grade certification of our practices. In the event of an incident, we intend to follow our detailed incident response protocol, which outlines the steps to be followed from incident detection, investigation, mitigation, recovery and communication including notifying functional areas, senior leadership and the Board, as appropriate.
Our cybersecurity program is focused on the following key areas:
Collaborative Approach: Our cybersecurity program leverages a defense-in-depth strategy to proactively identify and remediate threats. The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Physical, Administrative, and Technical Safeguards: The Company deploys appropriate safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including endpoint security, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability assessments, penetration tests, and cybersecurity threat intelligence.
40
Incident Response and Recovery Planning: We established and maintain comprehensive incident response and recovery policies and procedures that fully address the Company’s response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. We build resilience into our business model and roadmap, and work to avoid cybersecurity incidents. If an issue does occur, we rapidly identify and resolve it through our formalized incident response program designed to help us quickly detect, respond to and recover from any incident.
Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
Education and Awareness: All employees must complete mandatory, annual comprehensive security awareness training. Our Security organization updates the training to address emerging threats and trends. We also conduct periodic phishing and other social engineering simulations to test our defenses and offer focused phishing training for those who may require additional education.
In addition, we also perform the periodic assessment and testing of the Company’s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including internal validation and external audits, risk assessments, penetration tests, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including SOC2 reporting, SOX IT audits, and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Security Steering Committee and the Audit Committee. The Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and threat intelligence. The Company is unaware of any cybersecurity threats that have materially affected or are reasonably likely to impact it.
Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See the risk factor, entitled “We rely significantly on the use of information technology. Cybersecurity risks – any technology failures causing a material disruption to operational technology or cyber-attacks on our systems affecting our ability to protect the integrity and security of customer and employee information – could harm our reputation and/or could disrupt our operations and negatively impact our business” in Item 1A - Risk Factors.