Remitly Global, Inc. - (RELY)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management
Cybersecurity risk management is an integral part of our overall enterprise risk management program. Our cybersecurity risk management program is designed to follow our industry’s best practices and provides a framework for identifying, monitoring, assessing, and responding to cybersecurity threats and incidents, including threats and incidents associated with the use of third-party vendors and service providers, and facilitating coordination across different departments of the Company. This framework includes steps for identifying the source of a cybersecurity threat or incident, including whether such cybersecurity threat or incident is associated with a third-party vendor or service provider; assessing the severity and risk of a cybersecurity threat or incident; implementing cybersecurity countermeasures and mitigation strategies and informing management, our audit and risk committee, and our board of directors of potentially material cybersecurity threats and incidents or other significant changes in the evolving cybersecurity threat landscape.
Our information security team is responsible for assessing and maintaining our cybersecurity risk management program. In addition, our information security team engages third-party security experts on an as-needed basis for risk assessment and system enhancements. Our information security team also facilitates training to all employees during the onboarding process and annually, with additional training as we deem appropriate. We review or update our cybersecurity policies annually, or more frequently on an as-needed basis, to account for changes in the evolving cybersecurity threat landscape as well as legal and regulatory developments. Although we have continued to invest in our due diligence, onboarding, and monitoring capabilities over critical third parties with whom we do business, including our third-party vendors and service providers, our control over the security posture of, and ability to monitor the cybersecurity practices of, such third parties remains limited, and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the cybersecurity infrastructure owned or controlled by such third parties. When we do become aware that a third-party vendor or service provider has experienced such compromise or failure, we attempt to mitigate our risk, including by terminating such third party’s connection to our information systems and networks where appropriate.
In 2023, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors–Cybersecurity, Privacy, Intellectual Property, and Technology Risks” in this Annual Report on Form 10-K.
Cybersecurity Governance
Our management, Chief Information Security Officer (“CISO”), information security team, and legal team are responsible for identifying and assessing cybersecurity risks on an ongoing basis, establishing processes designed to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation and remediation measures, and maintaining cybersecurity programs. Our cybersecurity programs are managed under the direction of our CISO, who receives reports from our information security team and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks. Our CISO and dedicated information security personnel maintain certain cybersecurity-related certifications and are experienced information systems security professionals and information security managers with many years of experience. In particular, our CISO maintains the following certifications: Certified Information Systems Auditor from the Information System Audit and Control Association and Certified Information Systems Security Professional from ISC2. Our management, CISO, and information security team provide updates on at least a quarterly basis to our audit and risk committee on the Company’s cybersecurity programs, material cybersecurity risks and mitigation strategies, and provide cybersecurity reports on at least a quarterly basis that cover, among other topics, third-party assessments of the Company’s cybersecurity programs, updates to the Company’s cybersecurity programs and mitigation strategies, and other cybersecurity developments. In addition to such regular updates, and as part of our incident response processes, our CISO also provides updates on certain cybersecurity threats and incidents to the audit and risk committee and, as necessary, to the full board of directors, based on the assessment of risk by our management, CISO, information security team, and legal team.
Our board of directors has oversight responsibility for our overall enterprise risk management, and delegates cybersecurity risk management oversight to our audit and risk committee. As part of its enterprise risk management efforts, our board of directors also meets with management, including our CISO, to assess and respond to critical business risks, including those that may arise from cybersecurity threats and incidents. Our audit and risk committee is responsible for ensuring that management has policies and processes in place designed to identify, monitor, assess, and respond to cybersecurity, data privacy, and other information technology risks to which the Company is exposed. Further, our audit and risk committee reports material cybersecurity risks to our full board of directors, based on the assessment of risk by our management, CISO, information security team, and legal team.