Block, Inc. - (SQ)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We have a cybersecurity risk management program consisting of policies and procedures for assessing, identifying, and managing material risk from cybersecurity threats, and we have integrated these policies and procedures into our overall risk management systems and processes. Our cybersecurity policies and procedures are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. We routinely assess material risks from cybersecurity threats and regularly assess and update our cybersecurity risk management program in response to emerging trends and changes in our operations.
Our risk management program includes, among other elements:
Identification: We aim to proactively identify sources of risk, areas of impact, and relevant events that could give rise to cybersecurity risks, such as changes to our infrastructure, service providers, or personnel.
Assessment: We conduct periodic risk assessments to identify cybersecurity threats. We also conduct likelihood and impact assessments with the goal of identifying reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Management: Following our risk assessments, we design and implement reasonable safeguards to address any identified gaps in our existing processes and procedures. Our employees participate in cybersecurity training and awareness upon hire and at least annually thereafter.
We engage third parties, including consultants and auditors, to evaluate the effectiveness of our risk management program, control environment, and cybersecurity practices through security audits, penetration testing, and other engagements.
We have processes in place to identify, review and evaluate cybersecurity risks associated with our use of third-party service providers. These reviews are conducted at onboarding and periodically throughout the tenure of the service provider based on risk tier rating of each service provider. We believe these processes enable us to evaluate a third-party service provider’s security posture, identify risks that may arise out of our use of the third party’s service, and make decisions regarding acceptable levels of risk and risk mitigation.
For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K.
Board and Management’s Role in Data Privacy and Cybersecurity Oversight
Our board of directors recognizes the oversight of risk management as one of its primary responsibilities and central to maintaining an effective, risk-aware and accountable organization. While the board of directors maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks, it has delegated certain oversight responsibilities to our audit and risk committee. Our board of directors and audit and risk committee’s principal role is one of oversight, recognizing that management is responsible for the design, implementation, and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. The audit and risk committee assists the board of directors in enhancing its understanding of data privacy and cybersecurity issues by overseeing our data privacy and information security programs, strategy, policies, standards, architecture, processes, and significant risks, as well as overseeing responses to security and data incidents, as appropriate.
59
The full board of directors undergoes annual information security and privacy training by our Chief Information Security Officer (“CISO”) and our Chief Privacy Officer (“CPO”), which covers, among other matters, our privacy and cybersecurity programs and risks. Our audit and risk committee receives updates, at least quarterly, from our CISO and CPO on significant data privacy and security risks, including any significant incidents, relevant industry developments, threat vectors and significant risks identified in periodic penetration tests or vulnerability scans. The updates also include significant legal and legislative developments concerning data privacy and security, our approach to complying with applicable law, and significant engagement with regulators concerning data privacy and cybersecurity. Our audit committee provides regular updates to the board of directors on such reports.
Our CISO oversees our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. Our foundational engineering, data security governance, infrastructure security, product security and security operations teams report directly to our CISO and provide regular updates on significant or potentially significant threats and incidents. Additionally, we have an incident response team and an incident response plan that outlines the roles and responsibilities of key personnel, including representatives from information security, compliance, and counsel, that are involved in responding to, remediating and escalating such incidents to the CISO, as appropriate. Our CISO reports directly to our Chief Financial Officer and Chief Operating Officer and indirectly to our audit and risk committee. Our CISO provides updates on significant or potentially significant threats and incidents to our Block Head and leadership team, in addition to the audit and risk committee and our board of directors as appropriate and in accordance with the processes detailed in the prior paragraph.
Our CISO and Deputy CISO are primarily responsible for assessing and managing our material risks from cybersecurity threats. Our CISO has served in various roles building and securing enterprise platforms across retail, corporate and investment banking financial services as well as consumer experiences and data at multiple Fortune 500 companies for over 25 years. Our Deputy CISO has over 20 years of experience in information security, including serving as head of cybersecurity and privacy response at a global public company and information security leadership positions with the United States government. Our Deputy CISO holds undergraduate and graduate degrees in computer information systems and computer science with an information security focus and possesses various certifications, including the Information Systems Security Professional (NSTISSI No. 4011) and Information Systems Security Officer (CNSSI No. 4014) certifications.