DoorDash, Inc. - (DASH)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Cybersecurity risk management is an important part of DoorDash’s enterprise risk management efforts. We have an enterprise-wide information security program that is designed to identify, protect, detect, and respond to reasonably foreseeable cybersecurity risk and threats, and continuously work to enhance and improve our cybersecurity and risk management efforts. We routinely assess material risks from cybersecurity threats and maintain incident response plans designed to protect, identify, evaluate, respond to, and recover from a cybersecurity incident. The plans are designed to be flexible so that they may be adapted to an array of potential scenarios, and provide for the creation of cross-functional cybersecurity incident response teams in the event of a cybersecurity incident. We regularly conduct exercises to help ensure our overall preparedness for a cybersecurity incident.
We also have invested in tools and technologies to protect our data and information technology, and we monitor our systems on an ongoing basis to identify and assess risk. In addition, we have implemented a mandatory cybersecurity training and awareness program designed to educate and train employees on how to identify and report cybersecurity threats. We also provide specialized training for employees in more sensitive roles.
We take measures to assess and, where warranted, update and improve our cybersecurity program, including by regularly conducting internal risk assessments, internal control validations, independent program assessments, threat assessments, penetration testing, and scanning of our systems for vulnerabilities. Our cybersecurity risk management framework is based on applicable laws and regulations, as well as industry recognized standards and practices. We undergo periodic third-party assessments against recognized industry standards and practices, including an annual
51
payment card industry data security standard review of our security controls protecting payment card information. We also periodically engage third-party advisors to assess the effectiveness of our cybersecurity program, policies and practices, consult with external advisors regarding opportunities and enhancements to strengthen our policies and practices, and assess our cybersecurity capabilities using third-party security firms. Our internal audit team provides independent assessment of our cybersecurity program and controls.
With respect to third-party service providers, our information security program includes conducting due diligence and vendor risk assessment of relevant service providers’ information security programs prior to onboarding, as well as ongoing monitoring through DoorDash’s third-party risk management policy and program. We also contractually require third-party service providers with access to our information technology systems, sensitive business data, or personal information to implement and maintain appropriate security controls and provide for contractual restrictions on their ability to use our data. We work with these third-party service providers to help ensure their cybersecurity protocols are appropriate to the risk presented by their access to or use of our systems and/or data, including notification and coordination concerning incidents occurring on third-party systems that may affect us. Our service providers are contractually required to notify us promptly of information security incidents that may affect our systems or data, including personal information.
To date, risks from cybersecurity threats have not materially affected our business or operations. Although we have invested in the protection of our data and information technology, and monitor our systems on an ongoing basis, there can be no assurance that such efforts will be successful in preventing our information technology systems from being compromised or otherwise protecting us completely from security breaches or incidents. For additional information regarding whether any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please see the section titled "Risk Factors," in this Annual Report on Form 10-K, including the section titled “Risk Factors—Risks Related to Our Business and Operations—We have been subject to cybersecurity incidents in the past and anticipate being the target of future attacks. Any actual or perceived cybersecurity incident or security or privacy breach could interrupt our operations, harm our brand, subject us to claims, litigation, regulatory investigations and liability, and adversely affect our reputation, brand, business, financial condition, and results of operations.”
Governance
Our board of directors has risk oversight responsibility for DoorDash and administers this responsibility both directly and with assistance from its committees. Our board of directors has designated our audit committee to administer oversight of cybersecurity risk management, which is a critical component of our enterprise risk management program. As such, our audit committee receives regular updates on our cybersecurity program and is actively involved in reviewing our information security and technology risks and opportunities, risk mitigation strategies, incident and industry trends, areas of emerging risks, and other areas of importance, including with respect to cybersecurity. Security updates are also provided to the full board of directors from time to time.
DoorDash’s cybersecurity program is led by its Chief Information Security Officer (“CISO”), who is responsible for assessing and managing information security and technology risks and reports to the General Counsel. He has worked in security and technology for over 20 years, with the last 10 years spent in security leadership. He holds a B.S. in Computer Science from University of Illinois Springfield. Including DoorDash, he has held a CISO role at four companies within the technology and e-commerce spaces. Wolt’s cybersecurity program is led by a Vice President of Security, who is responsible for assessing and managing information security, technology, and physical security and safety risks, and reports to the Chief Executive Officer of Wolt. He has worked in security and technology for over 30 years. Their teams are composed of experienced personnel with a broad range of experience across the technology industry.
Management is responsible for assessing, identifying, and managing material cybersecurity risks, and both DoorDash’s CISO and Wolt’s Vice President of Security and their teams meet regularly with each other and with members of management to review and evaluate our cybersecurity risks and risk management program. As part of its oversight of cybersecurity risks, our audit committee receives regular updates on the risks and status of both the DoorDash and Wolt security programs, including from the DoorDash CISO and Wolt’s Vice President of Security and their teams. Both programs have in place coordinated cybersecurity incident response processes that set forth procedures for managing and responding to cybersecurity incidents across the enterprise, including the assignment of cross-functional roles and responsibilities and protocols for the escalation of significant incidents to members of management and our audit committee.
52