CHEGG, INC - (CHGG)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Chegg and its Board of Directors (the “Board”) recognize the critical importance of maintaining the trust and confidence of our students, business partners, and employees. We have established an Information Security and Governance Program (“ISP") utilizing the National Institute of Standards and Technology Cybersecurity Framework as an authoritative source of cybersecurity standards and framework for measurement. The ISP is comprised of the following components: (i) policies which describe the core requirements and design aspects of the program, (ii) standards that provide quantifiable and prescriptive requirements to meet the program's design, (iii) processes that provide operational requirements to meet the ISP's policies and standards consistently, and (iv) implementation playbooks which are created, maintained, and used by the respective team responsible for implementation.
The ISP has three core functions underlying its design, which are intended to provide Chegg with appropriate oversight and governance to execute, monitor, measure and report on the performance of the program in a consistent manner:
•management (control owners) have a responsibility to own and manage risks associated with day-to-day operations, including the design, implementation, and ongoing operation of controls;
•compliance and cybersecurity teams enable the identification of emerging risks in daily operation of our business, providing compliance and oversight in the form of frameworks, policies, tools, and techniques to support management; and
•independent assessors provide objective evaluation by assessing whether the first and second functions above are operating successfully, providing assurance that controls are effective in both design and operation.
The Audit Committee of the Board (the “Audit Committee”) provides independent oversight of the ISP. As a component of the ISP, the Audit Committee receives a report on the health and performance of the ISP on at least an annual basis. The Audit Committee provides guidance and oversight to help ensure the ISP meets the needs of all interested parties and fulfills its core functions.
35
Our Trust and Security organization (“T&S”) is responsible for implementing the ISP. T&S is led by our Chief Information Security Officer (“CISO”), John Heasman, who reports to our Chief Technology Officer (“CTO”), Chuck Geiger. T&S is made up of three sub-teams, each led by a director who reports to the CISO:
•Information Security, which is responsible for implementing all aspects of the ISP and is structured around the following pillars: (i) Application Security, (ii) Infrastructure (Cloud) Security, (iii) Corporate IT Security, (iv) Security Operations, and (v) Governance and Risk Management.
•Compliance and Privacy, which is responsible for assessing and preparing internal teams for regulatory compliance pertaining to information security, secured financial reporting, and privacy and is structured around the following pillars: (i) Privacy, (ii) Compliance, (iii) Vendor Risk Management, and (iv) Security Awareness.
•Operations and Analytics, which is responsible for identifying and measuring consumer fraud and abuse of our customer-facing services, implementing manual and automated operations to ensure these are within acceptable bounds, and working with our product and engineering teams to design and implement longer term solutions.
T&S also partners with a dedicated engineering team, Security and Fraud Engineering, which reports to our CTO and is responsible for building libraries, services, and integrations that interface with both backend and vendor systems to support the objectives of T&S.
Mr. Heasman has served as our CISO for over four years and has served in various roles in information technology and information security for over 20 years, including serving as the Deputy CISO of a large public company prior to joining Chegg. Mr. Heasman holds undergraduate and graduate degrees in engineering and computer science. Mr. Geiger holds an undergraduate degree in computer science and has served in various roles in information technology for over 30 years, including serving as either the CTO or Executive Vice President of Technology of four companies prior to joining Chegg. Our CEO, CFO and General Counsel each hold degrees in their respective fields, and each have over 20 years of experience managing risks at Chegg and other companies, including risks arising from cybersecurity threats.
For discussion of our risk factors relating to cybersecurity and data privacy, see the “Risks Related to Data Privacy” section included in Part I, Item 1A, “Risk factors” of this Annual Report on Form 10-K.