UPWORK, INC - (UPWK)

10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
Our cybersecurity and data privacy risk management processes are integrated in our overall risk management program, and we have developed processes for assessing, identifying, and managing material risks from cybersecurity threats. We have adopted physical, technological, and administrative controls on data security and have a defined procedure for incident detection, containment, response, and remediation. Our information security team is primarily responsible for managing our cybersecurity and data privacy risk management processes. We conduct regular test exercises to ensure all relevant teams are aware of their responsibilities during a cybersecurity event or incident, and we use these exercises to promote a culture of continuous improvement. We also have implemented controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Our platform is designed to help ensure the security of our data and systems, protect our customers’ personal information, and meet the rigorous privacy and security requirements of our Enterprise clients. To that end, we have obtained, and we maintain through regular audits where relevant, the following security and privacy certifications: ISO 27001 and 27018, SOC 2 Type 2 certification, SOC 3 certification, PCI-DSS Level 1 certification, and U.S.-EU and U.S.-Swiss Privacy Shield certifications. We are also TrustArc certified. In addition, we leverage the National Institute of Standards and Technology security framework to drive strategic direction and maturity improvement to protect against new and evolving cybersecurity risks over time.
Our information security controls operate at multiple levels and are designed to detect, prevent, and mitigate cybersecurity threats that could impact the privacy and security of our data and our customers’ data. To operate at scale, we have automated several risk mitigation strategies. We have implemented comprehensive trust and safety processes to help prevent and detect suspicious and fraudulent behavior on our platform. Over the years of developing our work marketplace, we have developed and refined specific pattern-matching algorithms to detect unusual behavior on our work marketplace, and we continue to improve such algorithms in the evolving threat landscape. We also regularly update our information security policies, standards and processes as needed to better reflect and account for updates in our cybersecurity posture, cybersecurity risks, and our risk mitigation strategies. We provide regular, mandatory training for our personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
We engage third parties, including vendors and other external service providers, to support our cybersecurity and data privacy processes such as risk assessments, program enhancements, and value-added user verification services. These third parties provide security services, including regular reviews of our security environment to provide an independent, industry-recognized risk rating and internal audits of our technology and security controls. We have also developed a program and engaged with a bug bounty service for ongoing identification of exploitable
38


vulnerabilities in the environment. Separately, our information security team also conducts regular scans of the environment to identify known vulnerabilities for remediation.
We also have processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. To that end, we maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. In addition, we perform diligence on our vendors and prospective vendors regarding their cybersecurity posture. We conduct and maintain a regular enterprise risk management program that is overseen by the audit committee of our board of directors, and efforts to address cybersecurity risks are an important component of our overall approach to enterprise risk management.
We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, endpoint detection and response, logging, monitoring and alerting, anti-malware functionality, advanced email security, network security monitoring and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. All access to our platform is encrypted using industry-standard transport layer security technology. When customers enter sensitive information on our site, such as tax identification numbers, we encrypt the transmission of that information using secure socket layer technology. We also use the HSTS (HTTP strict transport security) to ensure visitors connect to the website over HTTPS which adds an additional layer of protection for our customers. For servers that store personally identifiable information, the data is encrypted. Moreover, our customers may elect to further secure their account credentials through two-factor authentication that requires them to authenticate with information provided by a second device. In order to make secure payments through our platform, we are Payment Card Industry Data Security Standard certified, which means we have demonstrated compliance with the Payment Card Industry security standards required for businesses that complete credit card or debit card transactions.
To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business strategy, operating results, and/or financial condition. If we were to experience a material cybersecurity incident in the future, such incident may have a material effect, including on our business strategy, operating results, or financial condition. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see our risk factor disclosures in Part I, Item 1A of this Annual Report on Form 10-K titled “If we or our third-party partners experience a security breach, other hacking or phishing attack, ransomware or other malware attack, or other privacy or security incident, our work marketplace may be perceived as not being secure, our reputation may be harmed, demand for our work marketplace may be reduced, our operations may be disrupted, we may incur significant legal costs, fines, or liabilities, and our business could be adversely affected.”
Cybersecurity Governance
While everyone at Upwork plays a part in managing cybersecurity and data privacy risks, oversight responsibility is shared by our board of directors, audit committee, and management.
Our board of directors, as a whole, has responsibility for risk oversight, although the committees of our board of directors oversee and review risk areas that are particularly relevant to their respective functions. Among its focus areas, our audit committee reviews matters relating to cybersecurity and data privacy and regularly reports to our board of directors regarding such matters. One member of our audit committee earned the NACD’s CERT Certificate in Cybersecurity Oversight in 2023. Our audit committee receives quarterly cybersecurity-related updates from our Chief Information Security Officer, which we refer to as our CISO, including in the form of written reports and presentations. Our CISO and audit committee also provide cybersecurity-related updates to the full board of directors three times per year, including regarding recent developments, evolving standards, metrics about cyber threat response preparedness, program maturity milestones, material cybersecurity risks and risk mitigation status, and the current and emerging threat landscape. We also have implemented controls and procedures that provide for the communication of material cybersecurity incidents to our Chief Executive Officer, Chief Financial Officer, and Chief Legal Officer, as well as to our audit committee and/or to our full board of directors on a timely basis.
Our CISO is primarily responsible for our cybersecurity risk management program and partners with our legal team on data privacy matters at the management level. Our CISO has over 25 years of experience in various technology leadership positions across multiple industries including finance, healthcare and technology. He has held leadership positions specifically in the information security space since 2011 at four publicly traded companies. The CISO’s leadership team members are all seasoned information security professionals who have worked at some of the largest well-known brand names and are experts in their fields. Our CISO monitors, and participates in, our various cybersecurity policies and procedures, and our cybersecurity team regularly updates our CISO on the current status
39


of the cybersecurity environment, and cybersecurity incidents and actual or potential risks. Our CISO and his team provide regular updates to the management team and escalate events that require leadership’s attention.