Uber Technologies, Inc - (UBER)

10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
Safeguarding our critical networks and the information that platform users share with us is vital to our business. One key way that Uber addresses this need is through its cybersecurity risk management program (“Cybersecurity Program”).
Uber’s Chief Information Security Officer (“CISO”) is responsible for the Cybersecurity Program, which is coordinated and primarily executed by the global organization of engineers focused on risk management using the NIST Framework (Identify, Protect, Detect, Respond, and Recover) and activities such as automation, secure development, and advanced analytics and monitoring. The CISO has served in such role since February 2021 and has more than 20+ years of engineering and/or cybersecurity experience, including previously as CISO and Deputy Chief Technology Officer at a Fortune 500 company.
The Cybersecurity Program is also supported by Uber’s Chief Privacy Officer and Associate General Counsel, Privacy & Cybersecurity (“CPO”), who has served in that role since August 2018. The CPO has three decades of experience as a legal advisor to
45


multinational corporations, including serving as Chief Privacy & Security Counsel for a Fortune 100 technology company prior to her role at Uber.
The Cybersecurity Program is supported by other members of Uber’s senior management team as well, including the Chief Legal Officer, Head of Platform Engineering, and EU Data Protection Officer. Uber’s Board of Directors oversees the Cybersecurity Program through regular updates.
This Cybersecurity Program is a critical component of Uber’s enterprise risk management program, through which Uber reviews business, cybersecurity, information technology, privacy, legal, and geopolitical risks, among others. The Cybersecurity Program is designed to assess, identify, and manage risks from cybersecurity threats.
Key elements of this program include:
Oversight and Governance. Uber’s Board oversees the Cybersecurity Program, and Uber’s risk profile with respect to cybersecurity matters, through regular reports and reviews. These include presentations by the CISO to the Board and Audit Committee on an alternating quarterly basis, quarterly reports of certain cybersecurity incidents to the Board, and annual reports by the CPO to the Board.
The CISO also provides quarterly updates to Uber’s senior management regarding cybersecurity risks, as well as interim updates during regular meetings with Uber’s engineering, product and internal audit leadership. The CISO and CPO also jointly chair Uber’s Privacy and Cybersecurity Council, which provides a venue for cross-functional insight and input into the Cybersecurity Program and our privacy program as they relate to Uber’s business operations.
Internally conducted environment and vulnerability assessments. These include semi-annual assessments performed by Uber’s security engineering teams. The findings from these assessments are reported to Uber’s senior management, including the CISO, and the Board or Audit Committee. In addition, our internal audit function periodically conducts additional reviews and assessments, which are reported to the Audit Committee.
Independent third-party audits and assessments by industry-leading firms. These include regular assessments of Uber’s information systems, business systems and cybersecurity infrastructure; reviews to identify opportunities to strengthen Uber’s cybersecurity posture; and cybersecurity audits for purposes of maintaining Uber’s Payment Cards Industry (PCI), ISO 27001 and 27002, and SOC1 and SOC2 certifications.
Cyber incident management. This includes efforts by Uber’s security engineering team, at the direction of the CISO, to review potential incidents identified by Uber’s internal teams, Uber’s third-party service providers or external researchers through Uber’s Bug Bounty program; identify those which represent potential or actual threats to Uber’s systems, data or users; investigate and mitigate the cause and impact of such incidents; and implement safeguards to help prevent recurrence. Uber’s CPO and legal team support such efforts, including in connection with legal or disclosure obligations triggered in connection with any such incidents.
Third Party Risk Management. Uber performs due diligence regarding its third-party suppliers, service providers and business partners. This includes requiring submission of evidence demonstrating third parties’ ability to meet Uber’s cybersecurity and data handling requirements. In addition, Uber’s third-party suppliers and service providers who process Uber personal data are contractually obligated to notify Uber if they experience certain incidents impacting Uber personal data.
For a discussion regarding risks from cybersecurity threats, see our risk factors, including the risk factors titled “—We have experienced, and may experience security or privacy breaches or other unauthorized or improper access to, use of, disclosure of, alteration of or destruction of our proprietary or confidential data, employee data, or platform user data, which could cause loss of revenue, harm to our brand, business disruption, and significant liabilities”, “—Cyberattacks, including computer malware, ransomware, viruses, denial of service attacks, spamming, phishing and social engineering attacks could harm our reputation, business, and operating results”, “—We currently are subject to a number of inquiries, investigations, and requests for information from the DOJ, other federal, state and local government agencies and other foreign government agencies, the adverse outcomes of which could harm our business” and “—We face risks related to our collection, use, transfer, disclosure, and other processing of data, which could result in investigations, inquiries, litigation, fines, legislative and regulatory action, and negative press about our privacy and data protection practices” in Part I, Item 1A of this Annual Report on Form 10-K.