NETFLIX INC - (NFLX)
10-K Filing Date: January 26, 2024
Item 1C.Cybersecurity
We have an enterprise-wide information security program designed to identify, protect, detect and respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools, and a bug bounty program to allow security researchers to assist us in identifying vulnerabilities in our products before they are exploited by malicious threat actors. We also maintain a third party security program to identify, prioritize, assess, mitigate and remediate third party risks; however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful.
We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely-adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, red team exercises, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We also engage an external auditor to conduct an annual payment card industry data security standard review of our security controls protecting payment information, as well as third-party penetration testing of our cardholder environment and related systems. The results of these assessments are reported to the Audit Committee.
Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our members) and other data, confidential information or intellectual property, and we have experienced an unauthorized release of certain digital content assets. However, to date these incidents have not had a material impact on our service, systems or business. Any significant disruption to our service or access to our systems could result in a loss of members and adversely affect our business and results of operation. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations. See "Risk Factors - Any significant disruption in or unauthorized access to our computer systems or those of third parties that we utilize in our operations, including those relating to cybersecurity or arising from cyber-attacks, could result in a loss or degradation of service, unauthorized access, disclosure or destruction of data, including member and corporate information, or theft of intellectual property, including digital content assets, which could adversely impact our business."
The Vice President of Security and Privacy Engineering leads our global information security organization responsible for overseeing the Netflix information security program. Our VP of Security and Privacy Engineering has over 30 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Team members who support our information security program have relevant educational and industry experience,
16
including holding similar positions at large technology companies. The teams provide regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings.
The Board oversees our annual enterprise risk assessment, where we assess key risks within the company, including security and technology risks and cybersecurity threats. The Audit Committee of the Board oversees our cybersecurity risk and receives regular reports from our VP of Security and Privacy Engineering on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance.
17