|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our Information Security Program (“Program”) is designed to support the Company in identifying, protecting, detecting, responding to, and recovering from cybersecurity threats and incidents (collectively, “cybersecurity risks”) with the intention to protect the confidentiality, integrity, and availability of our critical systems and information.
We design and regularly assess our Program guided by National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and ISO standards (including ISO 27001), proprietary controls and industry best practices.
Our Program is built on a three lines of defense model integrated into our overall Enterprise Risk and Compliance Management Program (“ERCM Program”). It shares common methodologies, reporting channels, and governance processes that apply across the ERCM Program to other legal, compliance, strategic, operational, and financial risk areas. The Program is governed by the Technology, Information Security, and Privacy Risk Management Committee and overseen by our Board of Directors (“Board”) and its Risk and Compliance Committee (“R&C Committee”).
The three lines of defense model is designed to provide a structure for risk management in the first line of defense (“FLOD”), monitoring and guidance by the second line of defense (“SLOD”), and independent audit by the third line of defense (“TLOD”). Our Office of the Chief Information Security Officer oversees the Company’s information, cyber, and technology security. The Enterprise Risk Management Organization provides second line monitoring and guidance. The Technology and Information Security team serves as SLOD and provides independent oversight of our technology and cybersecurity risk mitigation practices and capabilities. As TLOD, Internal Audit independently assesses the effectiveness of our cybersecurity risk management and independently reports the results of audits to our R&C Committee to assist it in its oversight duties.
Our Program includes:
•Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise Information Technology (“IT”) environment;
•Regular testing of our systems to identify and address potential vulnerabilities;
•Integrated planning and preparedness activities supporting business continuity and operational resiliency;
•Security teams principally responsible for managing our (1) annual cybersecurity risk assessment processes, (2) security controls, and (3) response to cybersecurity incidents;
•A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
•24/7 monitoring and measurement of cybersecurity threats through our PayPal Cyber Defense Center (“CDC”);
•The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•An information training and awareness program for our employees, contractors, incident response personnel, and senior management; and
•A third-party risk management framework designed to monitor and address risks from cybersecurity incidents of service providers, suppliers, and vendors that includes due diligence over the information security and technology control environment of third parties at onboarding and periodically throughout the lifecycle of the relationship. In addition, our standard contractual terms require notification and communication from third parties in the event of a cybersecurity incident. We maintain procedures to respond to, manage and mitigate third-party cybersecurity events and vulnerabilities when identified.
For a description of risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition, see “Item 1A. Risk Factors” under the captions “Cyberattacks and security vulnerabilities could result in serious harm to our reputation, business, and financial condition” and “Business interruptions or systems failures may impair the availability of our websites, applications, products or services, or otherwise harm our business.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our Program is built on a three lines of defense model integrated into our overall Enterprise Risk and Compliance Management Program (“ERCM Program”). It shares common methodologies, reporting channels, and governance processes that apply across the ERCM Program to other legal, compliance, strategic, operational, and financial risk areas. The Program is governed by the Technology, Information Security, and Privacy Risk Management Committee and overseen by our Board of Directors (“Board”) and its Risk and Compliance Committee (“R&C Committee”).
|Cybersecurity Risk Management Third Party Engaged [Flag]
|false
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to our R&C Committee oversight of cybersecurity and other information technology risks. The R&C Committee oversees PayPal’s overall risk framework, including management’s implementation of our cybersecurity risk management program, and reports to the full Board of Directors on a regular basis on cybersecurity and information technology risk management. The R&C Committee receives quarterly reports from the Chief Information Security Officer (“CISO”) on our cybersecurity risks. Management also updates the R&C Committee, as necessary, regarding cybersecurity incidents.
Our CISO is responsible for implementing the information security strategy, security engineering, enabling business partners, and securing customer data, digital assets, and payments. His organization also monitors cyber regulation requirements and reviews impacts of new products and initiatives. Our CISO has over two decades of experience as a cybersecurity professional, including as a CISO at PayPal and four other organizations that include leading global financial services institutions and large-scale U.S. government agencies (including within the Department of Defense). He has an extensive record of success shepherding digital transformation aligned with business goals, launching cybersecurity frameworks, building security engineering teams, and ensuring protection of assets, data, privacy, and company reputation.
The R&C Committee reports to the Board regarding its activities, including those related to cybersecurity risk oversight. The Board also receives briefings at least annually from management on our Program. Board members receive presentations on cybersecurity topics from our CISO and external experts from time to time as part of our continuing education to the Board on topics relevant to their service on our Board.
Our cybersecurity teams, overseen by our CISO, are responsible for assessing and managing our risks from cybersecurity threats, including defining security policy and Board reporting of security risk. The CISO approves all security policies and oversees the identification, assessment, and management of cybersecurity risks, which is designed to provide a proactive and comprehensive approach to safeguarding our information assets. The teams have primary responsibility for our overall Program and supervise both our internal cybersecurity personnel and our external cybersecurity consultants. Our cybersecurity teams’ expertise includes cybersecurity incident response, in-depth security assessments, security emulation exercises to evaluate security profiles, security research, education and outreach, and security tool development.
Our cybersecurity teams supervise efforts to prevent, detect, mitigate, and remediate cybersecurity threats and incidents through the operation of our incident response plan and various other means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, as well as alerts and reports produced by security tools deployed in the IT environment. They also oversee, identify, and address security threats aimed at PayPal customers, employees, and partners.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to our R&C Committee oversight of cybersecurity and other information technology risks. The R&C Committee oversees PayPal’s overall risk framework, including management’s implementation of our cybersecurity risk management program, and reports to the full Board of Directors on a regular basis on cybersecurity and information technology risk management.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The R&C Committee oversees PayPal’s overall risk framework, including management’s implementation of our cybersecurity risk management program, and reports to the full Board of Directors on a regular basis on cybersecurity and information technology risk management. The R&C Committee receives quarterly reports from the Chief Information Security Officer (“CISO”) on our cybersecurity risks. Management also updates the R&C Committee, as necessary, regarding cybersecurity incidents.
|Cybersecurity Risk Role of Management [Text Block]
|
Our CISO is responsible for implementing the information security strategy, security engineering, enabling business partners, and securing customer data, digital assets, and payments. His organization also monitors cyber regulation requirements and reviews impacts of new products and initiatives. Our CISO has over two decades of experience as a cybersecurity professional, including as a CISO at PayPal and four other organizations that include leading global financial services institutions and large-scale U.S. government agencies (including within the Department of Defense). He has an extensive record of success shepherding digital transformation aligned with business goals, launching cybersecurity frameworks, building security engineering teams, and ensuring protection of assets, data, privacy, and company reputation.
The R&C Committee reports to the Board regarding its activities, including those related to cybersecurity risk oversight. The Board also receives briefings at least annually from management on our Program. Board members receive presentations on cybersecurity topics from our CISO and external experts from time to time as part of our continuing education to the Board on topics relevant to their service on our Board.Our cybersecurity teams, overseen by our CISO, are responsible for assessing and managing our risks from cybersecurity threats, including defining security policy and Board reporting of security risk. The CISO approves all security policies and oversees the identification, assessment, and management of cybersecurity risks, which is designed to provide a proactive and comprehensive approach to safeguarding our information assets. The teams have primary responsibility for our overall Program and supervise both our internal cybersecurity personnel and our external cybersecurity consultants. Our cybersecurity teams’ expertise includes cybersecurity incident response, in-depth security assessments, security emulation exercises to evaluate security profiles, security research, education and outreach, and security tool development.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to our R&C Committee oversight of cybersecurity and other information technology risks. The R&C Committee oversees PayPal’s overall risk framework, including management’s implementation of our cybersecurity risk management program, and reports to the full Board of Directors on a regular basis on cybersecurity and information technology risk management. The R&C Committee receives quarterly reports from the Chief Information Security Officer (“CISO”) on our cybersecurity risks. Management also updates the R&C Committee, as necessary, regarding cybersecurity incidents.
Our CISO is responsible for implementing the information security strategy, security engineering, enabling business partners, and securing customer data, digital assets, and payments. His organization also monitors cyber regulation requirements and reviews impacts of new products and initiatives. Our CISO has over two decades of experience as a cybersecurity professional, including as a CISO at PayPal and four other organizations that include leading global financial services institutions and large-scale U.S. government agencies (including within the Department of Defense). He has an extensive record of success shepherding digital transformation aligned with business goals, launching cybersecurity frameworks, building security engineering teams, and ensuring protection of assets, data, privacy, and company reputation.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has over two decades of experience as a cybersecurity professional, including as a CISO at PayPal and four other organizations that include leading global financial services institutions and large-scale U.S. government agencies (including within the Department of Defense). He has an extensive record of success shepherding digital transformation aligned with business goals, launching cybersecurity frameworks, building security engineering teams, and ensuring protection of assets, data, privacy, and company reputation.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The R&C Committee receives quarterly reports from the Chief Information Security Officer (“CISO”) on our cybersecurity risks. Management also updates the R&C Committee, as necessary, regarding cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef