Match Group, Inc. - (MTCH)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Match Group maintains an enterprise-wide information security program designed to identify, protect against, detect, respond to, and manage reasonably foreseeable cybersecurity risks and threats. Our information security teams, led by our Senior Vice President, Security Engineering, are responsible for assessing and managing our exposure to information security risks, including by:
•Implementing and enforcing physical, operational and technical security policies, procedures and controls;
•Conducting, and engaging independent third-party experts to conduct, regular internal and external security assessments and audits, including assessments of the security posture of third-party vendors and partners;
•Collaborating with our development teams to engineer and integrate security throughout the product development lifecycle;
•Implementing scalable and continuous data protection practices; and
•Detecting, monitoring, investigating, and responding to potential security threats and incidents.
With a focus on both product and enterprise security, the security program has been set up to protect our information systems from cybersecurity threats as part of our development lifecycles and our ongoing business operations. We implement various technical and operational processes to help prevent, identify, escalate, investigate, resolve, and recover from vulnerabilities and security incidents in a timely manner. These include, but are not limited to, monitoring and detection tools, internal and third-party penetration testing, continuous testing by a dedicated red team, a comprehensive bug bounty program to allow security researchers to assist us in identifying vulnerabilities in our services before they are exploited, and annual and ongoing security awareness training for employees.
We have implemented cybersecurity controls to detect and address threats arising from our use of third-party service providers. Security risk assessments are conducted during onboarding, contract renewal, and when an increased risk profile is identified. We also require specified security controls and other responsibilities from our service providers and we investigate security incidents affecting them as deemed necessary.
Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the International Organization for Standardization (“ISO”) and other applicable industry standards. Our cybersecurity policies, standards, processes and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. Cybersecurity processes are adjusted based on the information provided from these assessments. We have also obtained industry certifications and attestations that demonstrate our dedication to protecting the data our users entrust to us, including Tinder obtaining certification for its Information Security Management System (ISMS) under the ISO/IEC 27001:2022 standard.
27
We conduct regular reviews and tests of our information security program and leverage audits by our internal audit team and ongoing testing by our red team. We employ external services to conduct tabletop exercises, penetration and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning across Match Group’s businesses. The results of these assessments are reported to the Audit Committee of our Board of Directors.
We have established standardized and comprehensive incident response and recovery plans across Match Group’s businesses. Our incident response and recovery plans address — and guide our employees, management, and our Board of Directors on — our response to a cybersecurity incident, and our procedures with regard to material incidents. We regularly test and evaluate the effectiveness of our incident response process.
Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our users) and other data, confidential information or intellectual property.
We have not identified risks from cybersecurity threats, including from previous cybersecurity incidents, that have materially affected us. However, we face ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Any significant disruption to our service or unauthorized access to our systems could result in a loss of users and adversely affect our business, financial condition, and results of operations. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition, and results of operations. While Match Group maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For additional discussion of cybersecurity risks, see “Item 1A Risk factors—Risks relating to our business—We may not be able to protect our systems and infrastructure from cyberattacks and may be adversely affected by cyberattacks experienced by third parties.”
Governance
Board Oversight
Our Board of Directors, in coordination with the Audit Committee, oversees our management of cybersecurity risk, including our annual enterprise risk assessment, where we assess key risks within the company, including security and technology risks and cybersecurity threats. The Audit Committee directly oversees our cybersecurity program. The Audit Committee receives quarterly cybersecurity updates from management, including risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents. Cybersecurity reviews by the Audit Committee or the Board of Directors generally occur quarterly, or more frequently as determined to be necessary or advisable.
Management’s Role
Our cybersecurity program is managed by our SVP, Security Engineering, who reports to our Chief Business Affairs and Legal Officer. Our SVP, Security Engineering, has over 20 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Our information security program encompasses partnerships among teams that are responsible for cyber governance, prevention, detection and remediation activities within our cybersecurity environment. Team members have relevant certifications, educational and industry experience, including experience holding similar positions at other large technology companies. The information security teams provide regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings. Our information security leadership reports directly to the Audit Committee or the Board of Directors on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues. We also maintain an escalation process to inform senior management and the Board of Directors of material issues and make determinations with respect to any required disclosures.
28