Wayfair Inc. - (W)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as our business depends on customers trusting that their shopping experience with us is both reliable and safe. We have integrated cybersecurity risk management into our broader risk management framework through various mechanisms, including (i) our regular enterprise risk management updates to the Audit Committee, (ii) our information technology and security related internal controls and (iii) our global incident response and vulnerability management programs.
We view cybersecurity as a shared responsibility across the company and this integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. All employees are required to complete yearly security training, and we periodically perform tabletop exercises with management participation. Further, our cybersecurity, privacy, procurement, legal and other cross-functional teams work together to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We use various security tools and processes to help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner, including, but not limited to, internal reporting, monitoring and detection tools and a vulnerability identification program.
36
Recognizing the complexity and evolving nature of cybersecurity threats, Wayfair engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, with a goal of ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on security enhancements.
In order to mitigate data or security incidents that may originate from third party vendors or suppliers, we conduct both privacy and security assessments to properly identify, prioritize, assess and remediate any third party risks, and require security and privacy addenda to our contracts where applicable.
The nature of our business exposes us to cybersecurity threats and attacks that can lead to the unauthorized acquisition or access, compromise, loss,, misuse or theft of our data, including personal information, confidential information or intellectual property. To date risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the company, including our business strategy, results of operations, or financial condition. See Part 1, Item 1A, Risk Factors, in this Annual Report on Form 10-K for a discussion of cybersecurity risks.
Governance
Our Board of Directors (the “Board”) is ultimately responsible for the risk oversight of the company, including, cybersecurity and privacy risks. Our Board has delegated responsibility for oversight of cybersecurity risks to the Audit Committee. The Audit Committee is composed of board members with diverse expertise including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. Our Audit Committee is charged with reviewing and discussing our policies with respect to risk assessment and risk management, which includes overseeing our major financial, privacy, security, cybersecurity, and technology risk exposures and the steps our management has taken to monitor and control these exposures. At the management level, our Head of Cybersecurity and the cybersecurity teams are primarily responsible for identifying, assessing, monitoring and managing our cybersecurity. Our current Head of Cybersecurity has 20 years of industry experience, including serving as an enterprise Chief Information Security Officer for many years and having extensive experience in developing and leading risk management programs. Additionally, our Head of Cybersecurity holds multiple industry standard security certifications, including CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager).
The Audit Committee receives reports, briefings and presentations from senior management, including our Head of Cybersecurity, at periodic committee meetings, including, on a rotating basis, in-depth presentations on specific areas of risk and regular enterprise risk management updates.
In addition to our scheduled meetings, our Global Incident Response Plan ensures that significant developments or incidents, even if immaterial to us, are reviewed regularly by a cross-functional team to determine whether further escalation to the Audit Committee is appropriate, ensuring the committee's and the Board’s oversight is timely and responsive. Our Global Incident Response Plan also includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
37