Snap Inc - (SNAP)

10-K Filing Date: February 07, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Our engineering security team, led by our Chief Information Security Officer, or CISO, uses a multi-pronged approach to assessing, identifying, and managing material risks from cybersecurity threats. This approach includes identifying and assessing risks through: (1) an enterprise risk management program, which is periodically refreshed and includes an identification of our top risks, including cybersecurity risks; (2) formalized security and privacy reviews designed to identify risks from many new features, software, and vendors; (3) a vulnerability management program designed to identify hardware and software vulnerabilities; (4) an internal “red team” program, which simulates cyber threats, intended to allow us to fix vulnerabilities before threat actors identify them; (5) a threat intelligence program designed to model and research our adversaries; and (6) a privacy and security incident response program designed to investigate, respond to, and remediate known incidents. These processes vary in scope and maturity across the business and are processes we work to continually improve.
Our risk management approach is supplemented by external and internal enterprise risk management audits, which are designed to test the effectiveness of our security controls. We conduct penetration testing on a periodic basis, and have established an external bug bounty program to allow security researchers to help identify vulnerabilities and weaknesses in our controls and configurations in our systems. We also maintain a vendor risk management program designed to identify and mitigate potential risks associated with third-party suppliers and business partners. This program includes pre-engagement diligence, use of contractual cybersecurity and notification provisions, and ongoing monitoring of vendors, as appropriate.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example professional service firms (including legal counsel), threat intelligence services, and cybersecurity consultants.
The material cybersecurity threats identified through these processes are managed by our CISO and, where appropriate, our risk and compliance committee, in consultation with management. Together, they identify responsive actions for inclusion in our annual strategic planning, or earlier resolution depending on the nature of the risk.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see “Risk Factors” in Part I, Item 1A in this Annual Report on Form 10-K.
Governance
Our board of directors maintains oversight of risks from cybersecurity threats by meeting with and receiving periodic updates from our CISO, via our audit committee, which is assigned oversight of cybersecurity risks. In addition, the chair of our audit committee meets with our CISO on a quarterly basis to discuss cybersecurity threats and incidents, as well as the business’s approach to responding to them. Our incident response plans also provide that our board of directors and audit committee are also notified in the event of a material cybersecurity incident.
Our CISO, Jim Higgins, has over 30 years of experience in the technology sector, including senior leadership roles in product security, information security engineering, and cloud enterprise. Mr. Higgins assisted the Linux Foundation in starting the Open Source Security Foundation to help increase awareness and promote technical solutions to address
50

validation of Open Source software. Mr. Higgins has worked in information security at Chevron, Eastman Kodak, and Google, and, mostly recently, spent two years as the CISO of Block, Inc. (formerly Square).
Our CISO also regularly meets with our CEO and other members of our management team (or their designees), including our General Counsel, Chief Financial Officer, Chief Communications Officer, and Senior Vice President of Engineering, including as part of the cybersecurity incident response process.
Our CISO, and where necessary our management team and risk and compliance committee, are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents, through our security incident response process. We maintain internal aliases, which employees may use to identify a cybersecurity or privacy threat or incident, for escalation, investigation, containment, and remediation. A report to the alias triggers our Security Incident Response Policy and associated plans, which has defined roles for our cross-functional incident response team. The incident response team assesses the severity and priority of incidents on a rolling basis, with escalations of cybersecurity incidents provided to our management team by our CISO and General Counsel (or their designees) and escalations of certain cybersecurity incidents as appropriate to our board of directors. If a cybersecurity incident is determined to be a material cybersecurity incident, our Security Incident Response Policy and associated plans define the process to file a report regarding the incident with the SEC.