Roblox Corp - (RBLX)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall enterprise risk management systems and processes. We routinely assess material risks from cybersecurity threats, including taking reasonable steps to detect any potential unauthorized occurrence on or behaviors conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
63

Risk Management and Strategy
We conduct periodic risk assessments to identify significant cybersecurity threats that may affect information systems that are vulnerable to such cybersecurity threats and regularly review these risk assessments for changes in our business practices and the external cybersecurity landscape as well as the impacts of our security processes. These risk assessments include identification of reasonably foreseeable internal and external risks and evaluation of the likelihood and potential damage that could result from the realization of such risks.
Following our risk assessments, we evaluate when and how to design, implement, and maintain reasonable safeguards to minimize the identified risks and address any identified gaps in existing safeguards, and proceed with such design, implementation, and maintenance as deemed appropriate. We devote significant resources and designate high-level personnel, including our Chief Information Security Officer (“CISO”) who reports to our Chief Technology Officer, to manage the risk assessment and mitigation process. Our CISO has served in various roles in information technology and information security for over 15 years, including leading information security initiatives and incident response at two other large public companies and serving as the Chief Security Officer for the Arkansas Department of Human Services and working for the United States Department of Defense. He has an MS in Information Assurance from the University of Advanced Technology in Arizona and a BS in Computer Science from the University of Arkansas at Little Rock.
We also engage third-party service providers in connection with our risk assessment process and certain risk management processes. Our collaboration with these third-party service providers includes threat assessments and consultation on security enhancements.
We perform risk-tiered information security risk reviews for certain third-party service providers who have access to sensitive Company, user or employee information, reviewing areas such as data protection, endpoint management and protection, phishing, business continuity, and incident response management.
We also share and receive threat intelligence with federal, state, and local government agencies, peers and other organizations, information sharing and analysis centers, and cybersecurity associations.
Governance
Our Board of Directors has the ultimate responsibility for the oversight of our risk management framework, which is designed to identify, assess, and manage risks to which our Company is exposed, as well as to foster a corporate culture of integrity. Management is responsible for the day-to-day oversight and management of strategic, operational, legal and compliance, cybersecurity, and financial risks.
The Audit and Compliance Committee (the “ACC”) is central to the Board of Directors’ oversight of cybersecurity risks and has been delegated the primary responsibility for this domain. The ACC is composed of independent board members with diverse expertise including, risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. The ACC has also engaged a cybersecurity advisor to assist them in cybersecurity matters. In overseeing the Company’s cybersecurity risks and mitigation strategies, at least quarterly the CISO, members of management, and the ACC’s cybersecurity advisor, review and discuss with the ACC guidelines, practices and policies to identify, monitor, and address enterprise risks, including cybersecurity risks. The ACC then oversees and monitors management’s plans to address such risks.
Our CISO, and management committee on cybersecurity consisting of our Chief Technology Officer, General Counsel, Chief Financial Officer, and CISO, are primarily responsible for assessing and managing our material risks from cybersecurity threats and overseeing our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The processes by which our CISO, and our management committee on cybersecurity, are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents includes both manual reviews and automated reviews of our systems and data, a bug bounty program, self-reporting, participation in information sharing forums on cybersecurity, proactive education of our service providers and product and application security reviews.
In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan to guide response actions. This incident response plan includes immediate actions to mitigate the impact of the incident, long-term strategies for remediation and prevention of future incidents, and provides for internal notification of the incident functional areas (e.g. legal) as well as senior leadership and the ACC of the Board of Directors, as appropriate.
64

Our CISO provides briefings to the ACC at least quarterly regarding, among other topics, recent notable cybersecurity incidents, even if immaterial, and the Company’s response, cybersecurity systems testing results, the cybersecurity landscape and emerging risks and threats, compliance with regulatory requirements and industry standards.
Notwithstanding the extensive approach we take to cybersecurity, including managing associated risks, we may not be successful in managing risks from cybersecurity threats, including identifying, preventing, or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured.
For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factors entitled “Risks Related to Our Business: If the security of our Platform is compromised, it could compromise our and our developers’, creators’, and users’ private information, disrupt our internal operations, and harm public perception of our Platform, which could cause our business and reputation to suffer.”