PayPal Holdings, Inc. - (PYPL)

10-K Filing Date: February 08, 2024
ITEM 1C. CYBERSECURITY

CYBERSECURITY RISK MANAGEMENT AND STRATEGY

Our Information Security Program is designed to support the Company in identifying, protecting, detecting, responding to, and recovering from cybersecurity threats and incidents (collectively, “cybersecurity risks”) with the intention to protect the confidentiality, integrity, and availability of our critical systems and information.

We design and regularly assess our Information Security Program guided by National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and ISO standards (including ISO 27001), proprietary controls and industry best practices.

Our Information Security Program is built on a three lines of defense model integrated into our overall Enterprise Risk and Compliance Management Program (“ERCM Program”). It shares common methodologies, reporting channels, and governance processes that apply across the ERCM Program to other legal, compliance, strategic, operational, and financial risk areas. The Program is governed by the Technology, Information Security, and Privacy Risk Management Committee and overseen by our Board of Directors (“Board”) and its Audit, Risk and Compliance Committee (“ARC Committee”).

The three lines of defense model is designed to provide a structure for risk accountability in the first line of defense (“FLOD”), effective challenge by the second line of defense (“SLOD”), and independent risk assurance by the third line of defense (“TLOD”). Our Office of the Chief Information Security Officer serves as FLOD and provides operational and technical controls and capabilities to protect against cybersecurity risks. The Technology and Information Security team serves as SLOD and provides independent oversight of our technology and cybersecurity risk mitigation practices and capabilities. As TLOD, Internal Audit independently assesses the effectiveness of our first and second line of defense organizations in managing cybersecurity risk and independently reports the results of audits to our ARC Committee to assist it in its oversight duties.

Our Information Security Program includes:

Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise Information Technology (“IT”) environment;
Regular testing of our systems to identify and address potential vulnerabilities;
Integrated planning and preparedness activities supporting business continuity and operational resiliency;
Security teams principally responsible for managing (1) our annual cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
24/7 monitoring and measurement of cybersecurity threats through our PayPal Cyber Defense Center (“CDC”);
The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
An information training and awareness program for our employees, contractors, incident response personnel, and senior management; and
A third-party risk management framework designed to monitor and address risks from cybersecurity incidents of service providers, suppliers, and vendors that includes due diligence over third-party’s information security and technology control environment at onboarding and periodically throughout the lifecycle of the relationship. In addition, our standard contractual terms require notification and communication from third parties in the event of a cybersecurity incident. We maintain procedures to respond to, manage and mitigate third-party cybersecurity events and vulnerabilities when identified.

For a description of risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition, see “Item 1A. Risk Factors” under the captions “Cyberattacks and security vulnerabilities could result in serious harm to our reputation, business, and financial condition” and “Business interruptions or systems failures may impair the availability of our websites, applications, products or services, or otherwise harm our business.


PayPal_Logo_Horizontal_Full_Color_RGB.jpg
31

CYBERSECURITY GOVERNANCE

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to our ARC Committee oversight of cybersecurity and other information technology risks. The ARC Committee oversees PayPal’s overall risk framework, including management’s implementation of our cybersecurity risk management program, and reports to the full Board of Directors on a regular basis on cybersecurity and information technology risk management.

The ARC Committee receives periodic reports from the Chief Information Security Officer (“CISO”) on our cybersecurity risks. Our CISO has numerous years of experience at PayPal and other organizations building security products, managing security infrastructure, providing a variety of security services, and overseeing incident response and management, escalation of security events, vulnerability scanning, and security defect management. Management also updates the ARC Committee, as necessary, regarding cybersecurity incidents.

The ARC Committee reports to the Board regarding its activities, including those related to cybersecurity risk oversight. The Board also receives briefings at least annually from management on our Information Security Program. Board members receive presentations on cybersecurity topics from our CISO and external experts from time to time as part of our continuing education to Board on topics relevant to their service as a member of our Board.

Our cybersecurity teams, overseen by our CISO, are responsible for assessing and managing our risks from cybersecurity threats, including defining security policy and board reporting of security risk. The CISO approves all security policies and oversees the identification, assessment, and management of cybersecurity risks, which provides a proactive and comprehensive approach to safeguarding our information assets. The teams have primary responsibility for our overall Information Security Program and supervise both our internal cybersecurity personnel and our external cybersecurity consultants. Our cybersecurity teams’ experience includes cybersecurity incident response, in-depth security assessments and security emulation exercises to evaluate security profile, security research, education and outreach, and security tool development.

Our cybersecurity teams, in coordination with the CDC, supervise efforts to prevent, detect, mitigate, and remediate cybersecurity threats and incidents through the operation of our incident response plan and various other means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, as well as alerts and reports produced by security tools deployed in the IT environment. The CDC team oversees, identifies, and addresses security threats aimed at safeguarding PayPal employees, consumers, and merchants.

Our CISO organization is responsible for independently identifying, measuring, monitoring, controlling and reporting aggregate risks and for setting policies for the management and oversight of risk. The organization monitors cyber regulation requirements, reviews impacts of new products and initiatives, conduct reviews of cyber assessments and testing activities and provides effective challenge to the FLOD risk management activities.