Bark, Inc. - (BARK)
10-K Filing Date: June 03, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We recognize that our customers have a legitimate expectation of safety and privacy when they do business with us. We deploy considerable resources to protect customer data and privacy because our business depends on our customers’ trust. We recognize that there is a cost and risk associated with every piece of data our customers entrust us with, so we take measures to minimize what is collected to only what we need to provide a great experience and meet our legal and regulatory requirements. In addition, we have integrated cybersecurity risk management into our broader risk management framework through our (i) regular enterprise risk management updates to the Audit Committee, (ii) information technology and security related internal controls and (iii) incident response and vulnerability management programs.
We actively assess, identify, and manage material risks associated with cybersecurity threats. Our information security, finance, procurement, legal and other cross-functional teams work together to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. All employees are required to complete annual information security training and periodic training specifically related to phishing. We have an enterprise-wide Information Security Incident Response Plan (“Incident Response Plan”) which describes the detailed processes and procedures that should be followed in the event of an information security incident. We periodically perform tabletop exercises with management participation to be able to effectively respond to an information security incident and evaluate and improve the Incident Response Plan. We use various security tools and processes to help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner, including, but not limited to, internal reporting, monitoring and detection and vulnerability tools.
We also engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our information security processes. These partnerships enable us to leverage specialized knowledge and insights, with a goal of ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on security enhancements.
In order to mitigate data or security incidents that may originate from third-party vendors or suppliers, we conduct both privacy and information security assessments to properly identify, prioritize, assess and remediate any third-party risks, and require information security and privacy addenda to our contracts where applicable.
The nature of our business exposes us to cybersecurity threats and attacks that can lead to the unauthorized acquisition or access, compromise, loss, misuse or theft of our data, including personal information, confidential information or intellectual property. To date risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business strategy, results of operations, or financial condition. See Part 1, Item 1A, Risk Factors, in this Annual Report on Form 10-K for a discussion of cybersecurity risks.
Governance
Our Board of Directors (the “Board”) is ultimately responsible for the risk oversight of the company, including, cybersecurity and privacy risks. Our Board has delegated responsibility for oversight of cybersecurity risks to the Audit Committee. The Audit Committee is composed of board members with diverse expertise enabling its members to oversee cybersecurity risks effectively. Our Audit Committee’s responsibilities include reviewing the
24
Company’s cybersecurity and other information technology risks, controls and procedures, including the Company’s plans to mitigate cybersecurity risks and to respond to data breaches.
At the management level, a management steering committee comprised of our Chief Financial Officer, Controller, and General Counsel is briefed quarterly by our Director of Information Security. Our Director of Information Security also prepares a quarterly Information Security Risk Report, which is provided to the management steering committee in advance of its quarterly meeting and also made available to the members of the Audit Committee. Our current Director of Information Security has 16 years of industry experience leading large-scale security initiatives, enhancing infrastructure defenses and instilling a culture of security awareness across all employee levels. Additionally, our Director of Information Security holds standard industry security certifications, including CISSP (Certified Information Systems Security Professional).
The Audit Committee will receive reports, briefings and presentations from senior management, including our Director of Information Security, at periodic committee meetings, including, on a rotating basis, in-depth presentations on specific areas of risk and regular enterprise risk management updates as needed.
In addition to scheduled meetings, significant developments or incidents, even if immaterial to us, are reviewed regularly by a cross-functional team, including the Chief Financial Officer and the General Counsel, to determine whether further escalation to the Audit Committee and/or the Board is appropriate, ensuring the Audit Committee’s and the Board’s oversight is timely and responsive. Our Incident Response Plan also includes immediate actions to mitigate the impact and strategies for remediation and prevention of future incidents.