|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Safeguarding our critical networks and the information that platform users share with us is vital to our business. One key way that Uber addresses this need is through its cybersecurity program, which includes a cybersecurity risk management program.
Uber’s Chief Information Security Officer (“CISO”) is responsible for the cybersecurity program, which is coordinated and primarily executed by the global organization of engineers focused on risk management using the NIST Framework (Govern, Identify, Protect, Detect, Respond, and Recover) and activities such as automation, secure development, and advanced analytics and monitoring. The CISO has served in such role since February 2021 and has more than 20+ years of engineering and/or cybersecurity experience, including previously as CISO and Deputy Chief Technology Officer at a Fortune 500 company.
The cybersecurity program is also supported by Uber’s Chief Privacy Officer and Associate General Counsel, Privacy & Cybersecurity (“CPO”), who has served in that role since August 2018. The CPO has over three decades of experience as a legal advisor to multinational corporations, including serving as Chief Privacy & Security Counsel for a Fortune 100 technology company prior to her role at Uber.
The cybersecurity program is supported by other members of Uber’s senior management team as well, including the Chief Legal Officer, Chief Architect Officer, and Global Data Protection Officer. Uber’s Board of Directors oversees the cybersecurity program through regular updates.
This cybersecurity program is a critical component of Uber’s enterprise risk management program, through which Uber reviews business, cybersecurity, information technology, privacy, legal, and geopolitical risks, among others. The cybersecurity program is designed to assess, identify, and manage risks from cybersecurity threats.
Key elements of this program include:
•Oversight and Governance. Uber’s Board oversees the cybersecurity program, and Uber’s risk profile with respect to cybersecurity matters, through regular reports and reviews. These include presentations by the CISO to the Board and Audit Committee on an alternating quarterly basis, quarterly reports of certain cybersecurity incidents to the Board, and annual reports by the CPO to the Board.
The CISO also provides quarterly updates to Uber’s senior management regarding cybersecurity risks, as well as interim updates during regular meetings with Uber’s engineering, product and internal audit leadership. The CISO and CPO also jointly chair Uber’s Privacy and Cybersecurity Council, which provides a venue for cross-functional insight and input into the cybersecurity program and our privacy program as they relate to Uber’s business operations.
•Internally conducted environment and vulnerability assessments. These include regular assessments performed by Uber’s security engineering teams. The findings from these assessments are reported to Uber’s senior management, including the CISO, and the Board or Audit Committee. In addition, our internal audit function periodically conducts additional reviews and assessments, which are reported to the Audit Committee. We also conduct table-top exercises to simulate the response to cybersecurity incidents; participants may include, among others, the CISO, the CPO, and representatives from communications, investor relations, finance and legal.
•Independent third-party audits and assessments by industry-leading firms. As a global organization, Uber undergoes annual audits to maintain its certification as a Payment Card Industry Data Security Standard (PCI DSS 4.0) Level 1 Merchant and Service provider. Uber also undergoes annual audits to maintain its ISO 27001 certification for its core mobility, delivery, and enterprise businesses, and SOC 2 attestations that vary depending on the Uber product.
•Cyber incident management. This includes efforts by Uber’s security engineering team, at the direction of the CISO, to review potential incidents identified by Uber’s internal teams, Uber’s third-party service providers or external researchers through Uber’s Bug Bounty program; identify those which represent potential or actual threats to Uber’s systems, data or users; investigate and mitigate the cause and impact of such incidents; and implement safeguards to help prevent recurrence. Uber’s CPO and legal team support such efforts, including in connection with legal or disclosure obligations triggered in connection with any such incidents.
•Third Party Risk Management. Uber performs due diligence regarding its third-party suppliers, service providers and business partners. This includes requiring submission of evidence demonstrating third parties’ ability to meet Uber’s cybersecurity and data handling requirements. In addition, Uber’s third-party suppliers and service providers who process Uber personal data are contractually obligated to notify Uber if they experience certain incidents impacting Uber personal data.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
This cybersecurity program is a critical component of Uber’s enterprise risk management program, through which Uber reviews business, cybersecurity, information technology, privacy, legal, and geopolitical risks, among others. The cybersecurity program is designed to assess, identify, and manage risks from cybersecurity threats.
Key elements of this program include:
•Oversight and Governance. Uber’s Board oversees the cybersecurity program, and Uber’s risk profile with respect to cybersecurity matters, through regular reports and reviews. These include presentations by the CISO to the Board and Audit Committee on an alternating quarterly basis, quarterly reports of certain cybersecurity incidents to the Board, and annual reports by the CPO to the Board.
The CISO also provides quarterly updates to Uber’s senior management regarding cybersecurity risks, as well as interim updates during regular meetings with Uber’s engineering, product and internal audit leadership. The CISO and CPO also jointly chair Uber’s Privacy and Cybersecurity Council, which provides a venue for cross-functional insight and input into the cybersecurity program and our privacy program as they relate to Uber’s business operations.
•Internally conducted environment and vulnerability assessments. These include regular assessments performed by Uber’s security engineering teams. The findings from these assessments are reported to Uber’s senior management, including the CISO, and the Board or Audit Committee. In addition, our internal audit function periodically conducts additional reviews and assessments, which are reported to the Audit Committee. We also conduct table-top exercises to simulate the response to cybersecurity incidents; participants may include, among others, the CISO, the CPO, and representatives from communications, investor relations, finance and legal.
•Independent third-party audits and assessments by industry-leading firms. As a global organization, Uber undergoes annual audits to maintain its certification as a Payment Card Industry Data Security Standard (PCI DSS 4.0) Level 1 Merchant and Service provider. Uber also undergoes annual audits to maintain its ISO 27001 certification for its core mobility, delivery, and enterprise businesses, and SOC 2 attestations that vary depending on the Uber product.
•Cyber incident management. This includes efforts by Uber’s security engineering team, at the direction of the CISO, to review potential incidents identified by Uber’s internal teams, Uber’s third-party service providers or external researchers through Uber’s Bug Bounty program; identify those which represent potential or actual threats to Uber’s systems, data or users; investigate and mitigate the cause and impact of such incidents; and implement safeguards to help prevent recurrence. Uber’s CPO and legal team support such efforts, including in connection with legal or disclosure obligations triggered in connection with any such incidents.
•Third Party Risk Management. Uber performs due diligence regarding its third-party suppliers, service providers and business partners. This includes requiring submission of evidence demonstrating third parties’ ability to meet Uber’s cybersecurity and data handling requirements. In addition, Uber’s third-party suppliers and service providers who process Uber personal data are contractually obligated to notify Uber if they experience certain incidents impacting Uber personal data.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Oversight and Governance. Uber’s Board oversees the cybersecurity program, and Uber’s risk profile with respect to cybersecurity matters, through regular reports and reviews. These include presentations by the CISO to the Board and Audit Committee on an alternating quarterly basis, quarterly reports of certain cybersecurity incidents to the Board, and annual reports by the CPO to the Board.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Uber’s Board oversees the cybersecurity program, and Uber’s risk profile with respect to cybersecurity matters, through regular reports and reviews.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|These include presentations by the CISO to the Board and Audit Committee on an alternating quarterly basis, quarterly reports of certain cybersecurity incidents to the Board, and annual reports by the CPO to the Board.
|Cybersecurity Risk Role of Management [Text Block]
|
Uber’s Chief Information Security Officer (“CISO”) is responsible for the cybersecurity program, which is coordinated and primarily executed by the global organization of engineers focused on risk management using the NIST Framework (Govern, Identify, Protect, Detect, Respond, and Recover) and activities such as automation, secure development, and advanced analytics and monitoring. The CISO has served in such role since February 2021 and has more than 20+ years of engineering and/or cybersecurity experience, including previously as CISO and Deputy Chief Technology Officer at a Fortune 500 company.
The cybersecurity program is also supported by Uber’s Chief Privacy Officer and Associate General Counsel, Privacy & Cybersecurity (“CPO”), who has served in that role since August 2018. The CPO has over three decades of experience as a legal advisor to multinational corporations, including serving as Chief Privacy & Security Counsel for a Fortune 100 technology company prior to her role at Uber.
The cybersecurity program is supported by other members of Uber’s senior management team as well, including the Chief Legal Officer, Chief Architect Officer, and Global Data Protection Officer. Uber’s Board of Directors oversees the cybersecurity program through regular updates.
The CISO also provides quarterly updates to Uber’s senior management regarding cybersecurity risks, as well as interim updates during regular meetings with Uber’s engineering, product and internal audit leadership. The CISO and CPO also jointly chair Uber’s Privacy and Cybersecurity Council, which provides a venue for cross-functional insight and input into the cybersecurity program and our privacy program as they relate to Uber’s business operations.
•Internally conducted environment and vulnerability assessments. These include regular assessments performed by Uber’s security engineering teams. The findings from these assessments are reported to Uber’s senior management, including the CISO, and the Board or Audit Committee. In addition, our internal audit function periodically conducts additional reviews and assessments, which are reported to the Audit Committee. We also conduct table-top exercises to simulate the response to cybersecurity incidents; participants may include, among others, the CISO, the CPO, and representatives from communications, investor relations, finance and legal.Cyber incident management. This includes efforts by Uber’s security engineering team, at the direction of the CISO, to review potential incidents identified by Uber’s internal teams, Uber’s third-party service providers or external researchers through Uber’s Bug Bounty program; identify those which represent potential or actual threats to Uber’s systems, data or users; investigate and mitigate the cause and impact of such incidents; and implement safeguards to help prevent recurrence. Uber’s CPO and legal team support such efforts, including in connection with legal or disclosure obligations triggered in connection with any such incidents.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Uber’s Chief Information Security Officer (“CISO”) is responsible for the cybersecurity program, which is coordinated and primarily executed by the global organization of engineers focused on risk management using the NIST Framework (Govern, Identify, Protect, Detect, Respond, and Recover) and activities such as automation, secure development, and advanced analytics and monitoring.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO has served in such role since February 2021 and has more than 20+ years of engineering and/or cybersecurity experience, including previously as CISO and Deputy Chief Technology Officer at a Fortune 500 company.
The cybersecurity program is also supported by Uber’s Chief Privacy Officer and Associate General Counsel, Privacy & Cybersecurity (“CPO”), who has served in that role since August 2018. The CPO has over three decades of experience as a legal advisor to multinational corporations, including serving as Chief Privacy & Security Counsel for a Fortune 100 technology company prior to her role at Uber.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Uber’s Board oversees the cybersecurity program, and Uber’s risk profile with respect to cybersecurity matters, through regular reports and reviews. These include presentations by the CISO to the Board and Audit Committee on an alternating quarterly basis, quarterly reports of certain cybersecurity incidents to the Board, and annual reports by the CPO to the Board.
The CISO also provides quarterly updates to Uber’s senior management regarding cybersecurity risks, as well as interim updates during regular meetings with Uber’s engineering, product and internal audit leadership. The CISO and CPO also jointly chair Uber’s Privacy and Cybersecurity Council, which provides a venue for cross-functional insight and input into the cybersecurity program and our privacy program as they relate to Uber’s business operations.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef