NERDWALLET, INC. - (NRDS)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
NerdWallet, Inc. recognizes the importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data and that of our users.
Risk Management
We have adopted the National Institute of Standards and Technology - Cybersecurity Framework (NIST-CSF) to guide our risk assessment and management and promote a company-wide cybersecurity risk management culture. Our cybersecurity team works closely with our information technology (IT) department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs.
Engagement of Third Parties
We enlist third-party cybersecurity assessors and consultants to evaluate and test both our risk management systems and the third-party risk management systems of our business partners. Through these collaborations, we tap into specialized knowledge and insights, helping us gauge the effectiveness of our cybersecurity strategies and processes. The findings from these assessments guide our decision-making and planning processes, influencing how we set priorities and allocate resources.
Overseeing Third-party Risk
Before partnering with third-party providers, we conduct a thorough examination of their cybersecurity program, policies, and practices. This includes a review of their SOC 2 reports and any available penetration tests. Additionally, we actively monitor our primary service providers and regularly obtain security control reports from them. We also employ real-time monitoring to detect any suspicious activity promptly. This approach is implemented to minimize risks associated with data breaches or other security incidents that may arise from third-party sources.
Risks from Cybersecurity Threats
To date, no cybersecurity incident or any risk from cybersecurity threats has materially affected, or has been determined to be reasonably likely to materially affect, us or our operations or financial condition.
Governance
The Board of Directors recognizes the critical importance of managing cybersecurity risks and has implemented robust oversight mechanisms designed to ensure effective governance in this area.
Audit Committee Oversight
The Audit Committee, comprising Board members with diverse experience in risk management, IT, cybersecurity, and finance, is directly responsible for overseeing cybersecurity risks. Our Chief Information Security Officer (CISO) provides comprehensive quarterly presentations to the Audit Committee, covering ongoing cybersecurity initiatives, strategies, and emerging threats. The Committee reports significant matters to the full board, and the CISO also delivers an annual presentation to the Board of Directors.
Management’s Vigilance
A Security Council, led by the CISO with representatives from our engineering, corporate IT, security, legal, and internal audit teams, diligently reviews and assesses cybersecurity plans, risks, and incidents on a monthly basis. Any substantial risk incident is escalated to the executive team, disclosure committee, and potentially the full Board, if deemed material. Regular communication between the CISO and the Chief Legal Officer, Chief Financial Officer, and Chief Executive Officer ensures top management is well-informed about NerdWallet's cybersecurity posture and potential risks.
39
Risk Management Leadership
The primary responsibility for assessing, monitoring, and managing our cybersecurity risks lies with our highly experienced CISO. With two decades of cybersecurity expertise, including multiple CISO roles, our CISO plays a pivotal role in developing and executing our cybersecurity strategies. His responsibilities include overseeing governance programs, addressing known risks, leading employee security training, and executing the incident response plan in case of a cybersecurity incident.