Coursera, Inc. - (COUR)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. To this end, we maintain an information security program designed to protect our information, intellectual property, and systems, including the data we host and maintain for our learners, customers, and partners in accordance with industry standards and best practices.
Our information security team is led by our Senior Vice President of Engineering and our Head of Information Security, who together have over 35 years of technology industry experience and expertise in information security, cybersecurity, and distributed systems. This team is responsible for our information security program and protocols, including managing and coordinating efforts to prevent, mitigate, detect, and remediate cybersecurity incidents, and escalating significant security risks or incidents to executive management.
We have data and cybersecurity protection and control policies to facilitate a secure environment for sensitive information and to ensure the availability of critical data and systems. The information security management system supporting our online learning platform has been independently certified to the International Organization for Standardization (“ISO”) / International Electrotechnical Commission 27001:2013 standard. This standard is designed to promote risk management, cyber-resilience, and operational excellence with respect to an information security management system. Our online learning platform undergoes regular internal security testing, and we engage third-party providers to perform penetration and vulnerability tests. We have annual independent third-party audits conducted on system security and availability, such as Systems and Organization Controls 2 Type 2 (“SOC 2”) audit reports and ISO 27001 certification. Certain highly sensitive information, such as personally identifiable information (“PII”) about our learners in our online learning platform, is encrypted at rest and in transit using industry standards. We also require employees and contractors to undergo information security awareness training. In addition, to mitigate the financial impact of cybersecurity incidents, we maintain insurance to help cover losses resulting from such potential incidents.
We maintain a risk-based approach to identify and oversee cybersecurity risks, including risks presented by authorized service providers who have access to our systems or information. We have processes in place to assess and manage associated cybersecurity risks, which include conducting due diligence on the cybersecurity profile of the third party provider and, in cases where PII is shared, ongoing cybersecurity and privacy obligations that are documented in data processing agreements. Our online learning platform is hosted by major cloud-hosting providers, and we require such providers and other third parties that have access to PII or certain other highly sensitive data to be independently SOC 2 attested and/or ISO 27001 certified to ensure that such service providers conform to our security standards.
Our board of directors (the “Board”) is responsible for monitoring and assessing strategic risk exposure, and our audit committee has been designated with the responsibility of overseeing our technology and information security, including cybersecurity, policies and practices, and the internal controls regarding information security. Our Senior Vice President of Engineering provides quarterly updates to the audit committee on these topics, as well as cybersecurity risk exposure and steps taken to monitor and mitigate such exposure. The Board receives reports from management on our information security and cybersecurity matters on an annual basis. In addition, our incident response process provides that our audit committee is notified in the event of a material cybersecurity incident.
Notwithstanding the foregoing efforts, there can be no assurance that the security measures we employ will prevent malicious or unauthorized access to our systems or information. Like many other businesses, we have experienced, and are continually subject to, cyberattacks. While these past cyberattacks have not materially affected us or, in our belief, are not reasonably likely to materially affect us, future cybersecurity incidents and threats may materially affect our business strategy, results of operations, or financial condition. For more information regarding our cybersecurity related risks, refer to our risk factors included in Part I, Item 1A of this Form 10-K.
62