|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 16K. CYBERSECURITY
Risk Management and Strategy
We have adopted a comprehensive risk management system to manage various risks that we face, including financial risks, operational risks, compliance risks, risks associated with stability of information technology systems, cybersecurity risks and supplier management risks. We have established an array of risk management procedures to identify, assess and manage such risks, including risk identification, risk assessment, risk control and risk monitoring. We have also implemented procedural design, evaluation mechanism as well as risk grading and liability assessment mechanism to enhance our risk management. Set forth below are measures that we undertake to manage cybersecurity risks.
Three-tier Cybersecurity Risk Management Structure
Based on the characteristics of our businesses, application services and system scale, we have established a three-tier management to prevent and manage cybersecurity risks. We formed the Network and Information Security Leadership Group, or the Leadership Group, which is led by our chief executive officer and comprised of the head of the security department and heads of all other first-level departments such as our legal department, internal audit department and various business departments, to function as the decision-making body for our network and information security. The Leadership Group is responsible for overseeing the overall network and information security initiatives of the company.
We also formed the Network and Information Security Execution Group, or the Execution Group, which is responsible for implementing the Leadership Group’s deployment and assessment of overall network and information security plans, evaluating, disposing of and preventing network and information security risks, and coordinating with various departments to carry out internal network and information security management work. The Execution Group is a subordinate organization of the Leadership Group and is composed of members appointed by the Leadership Group.
In addition, we set up the security department consisting of specialized network and information security technicians as a permanent functional organization and technical support team to manage our network and information security risks. The security department is responsible for the day-to-day detection, prevention and implementation of network and information security and reporting to the Execution Group.
Internal Policies
We have established comprehensive internal network and information security management policies and standards based on ISO/IEC 27001:2013 at the corporate level. We continuously update and enhance these policies and standards in accordance with the evolving regulations, requirements and actual situations of our business and our cybersecurity management. Set forth below are internal policies and standards that we undertake to manage network and information security risks:
Preventive Policies
We have adopted the following major internal policies and procedures to manage cybersecurity risks and prevent cybersecurity incidents:
•
Yalla Network and Information Security Management Standards, which prevent unauthorized access, use and control of network and information system resources to enhance the safety and stability of our network space and information system;
•
Yalla Operation and Maintenance Management Standards, which enhance the safety and reliability of our network operation and maintenance and ensure our compliance with relevant standards; and
•
Yalla Data Security Management Standards, which use scientific methods to systematically analyze the data security risks faced by us, and propose effective measures to improve our prevention and handling of data security risks in order to control the risks at an acceptable level.
•
Yalla Employment Network and Information Security Awareness Enhancement Mechanism, which enhances our employees’ awareness of network and information security by promoting internal publicity, organizing training, security drills and other activities to create a network and information security atmosphere with the full participation of all employees.
Remediation Policies
We have also adopted the following major internal policies and procedures to remediate cybersecurity incidents if any:
•
Yalla Security Vulnerability Management Policies, which set out the procedures for swift handling of security vulnerabilities and emergency response in order to minimize the impact of security vulnerabilities; and
•
Yalla Information Security Incidents Management Policies, which set out the procedures for reporting, response and handling of cybersecurity incidents to reduce losses caused by cybersecurity incidents and enhance business continuity.
Technical Measures
We have implemented various technical measures, such as Zero Trust Network Access, or ZTNA, real-time monitoring of traffic logs, host-based vulnerability scanning, transmission encryption and authentication, data loss prevention and code leakage monitoring systems, in order to timely identify and address cybersecurity threats and protect the security and integrity of our information technology systems and data stored in our systems.
Engagement of Third Parties
We obtained ISO/IEC 27001:2013 certification in 2022 and have undergone annual reviews conducted by the certifying body. ISO/IEC 27001:2013 is a standard for establishing and maintaining an information security management system. It requires organizations to undertake a series of procedures including defining the scope of the information security management system, formulating information security policies and strategies, delineating management responsibilities, and selecting control objectives and measures based on risk assessment.
We have adopted third-party security assessment measures and procedures to manage risks posed by cybersecurity threats associated with our use of any third-party service providers. In selecting third parties for collaboration, we prioritize those with international certification in compliance and security standards and conduct annual reviews of the compliance certification of our major suppliers. In addition, we have implemented strict visitor management and introduced ZTNA system to restrict outsiders’ access to our internal network and information system. We segregate the guest network from our internal network, and outsiders are not allowed to use the guest network unless they have applied to our internal reception department in the system and have been authorized to use it.
We may enter into a Data Security Agreement with third-party service providers or include data security-related provisions in our contracts to stipulate the cybersecurity responsibilities of such third parties and remediation measures to be taken in the event of cybersecurity incidents, depending on the level of sensitivity of the collaboration and the potential information security risks posed by the service.
Risks from Cybersecurity Threats
In 2024, we had not been subject to any punishment due to cybersecurity, and there were no incidents of material risks arising from cybersecurity or personal data protection. However, despite our efforts, as we generate and process a large amount of data through our applications and rely on our information technology systems for our business operations, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more details, see “Item 4. Information on the Company—D. Risk Factors—Risks Relating to Our Business and Industry—Concerns about collection, use, retention, transfer, disclosure, processing and security of personal data could damage our reputation and deter current and potential users from using our platform and services, or subject us to significant compliance costs or penalties, which could materially and adversely affect our business, financial condition and results of operations”; and “—If we fail to prevent security breaches, cyber-attacks or other unauthorized access to our systems or our users’ data, we may be exposed to significant consequences, including legal and financial exposure and loss of users, and our reputation, business and operating results may be materially and adversely affected.”
Governance
Our board of directors is responsible for and engaged in the oversight of our continuous efforts in monitoring, assessing and managing the risks associated with cybersecurity threats or incidents. Our management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents primarily through (i) the Leadership Group and the Execution Group, and (ii) our security, legal and internal audit departments.
The Leadership Group, led by our chief executive officer, is in charge of oversighting and determining cybersecurity risk management. The Leadership Group, upon assessing the nature of cybersecurity risks or threats and confirming such risks or threats constituting significant cybersecurity incidents, reports to the audit committee of our board of directors regarding the incidents’ nature, scope, timing, response, and remediation plan, as well as the actual or anticipated impact on our business strategy, operational performance, and financial conditions. The Execution Group, as a subordinate body of the Leadership Group, is responsible for cybersecurity risk assessment as well as prevention (through implementation of policies and procedures), detection, mitigation and remediation of cybersecurity incidents. The Execution Group classifies cybersecurity incidents based on the extent of their impact on our operating systems, defining response timelines and formulating corresponding emergency plans. The Execution Group also establishes a unified and formal hierarchical reporting mechanism for cybersecurity incidents, specifying reporting methods, scope and content requirements. Furthermore, the Execution Group leads post-incident summaries, analyzing cybersecurity incidents from technical and managerial perspectives, developing corrective measures and identifying those responsible for security incidents resulting from individual violations and holding them accountable in accordance with the company’s internal policies.
Our security, legal and internal audit departments also perform different functions with respect to cybersecurity management. The security department focuses on enhancing overall cybersecurity practices, offering cybersecurity-related training and education, and serves as the front-end cybersecurity implementation department. The employees of the security department are all professionals with experience in network and information security. The head of the security department is also listed as a member of the Leadership Group. The head of the security department majored in computer science and has more than a decade of experience in network and information system security. Currently, the head of the security department is in charge of assessing, managing and disposing of our cybersecurity risks, organizing and administering our cybersecurity management team, and leading the implementation of our information technology architecture and construction. Prior to joining our company, he served as an information security director in a financial technology company and as a security engineer in an application security products and services technology company, and he was deeply involved in the establishment and management of network and information system security framework at these companies. The legal department is responsible for interpreting cybersecurity-related laws and regulations and reviewing cybersecurity-related internal policies. The internal audit department is responsible for internal audits on the implementation of cybersecurity-related policies and procedures.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have adopted a comprehensive risk management system to manage various risks that we face, including financial risks, operational risks, compliance risks, risks associated with stability of information technology systems, cybersecurity risks and supplier management risks. We have established an array of risk management procedures to identify, assess and manage such risks, including risk identification, risk assessment, risk control and risk monitoring. We have also implemented procedural design, evaluation mechanism as well as risk grading and liability assessment mechanism to enhance our risk management. Set forth below are measures that we undertake to manage cybersecurity risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our board of directors is responsible for and engaged in the oversight of our continuous efforts in monitoring, assessing and managing the risks associated with cybersecurity threats or incidents.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Leadership Group, upon assessing the nature of cybersecurity risks or threats and confirming such risks or threats constituting significant cybersecurity incidents, reports to the audit committee of our board of directors regarding the incidents’ nature, scope, timing, response, and remediation plan, as well as the actual or anticipated impact on our business strategy, operational performance, and financial conditions.
|Cybersecurity Risk Role of Management [Text Block]
|Our management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents primarily through (i) the Leadership Group and the Execution Group, and (ii) our security, legal and internal audit departments. The Leadership Group, led by our chief executive officer, is in charge of oversighting and determining cybersecurity risk management. The Leadership Group, upon assessing the nature of cybersecurity risks or threats and confirming such risks or threats constituting significant cybersecurity incidents, reports to the audit committee of our board of directors regarding the incidents’ nature, scope, timing, response, and remediation plan, as well as the actual or anticipated impact on our business strategy, operational performance, and financial conditions.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Execution Group classifies cybersecurity incidents based on the extent of their impact on our operating systems, defining response timelines and formulating corresponding emergency plans. The Execution Group also establishes a unified and formal hierarchical reporting mechanism for cybersecurity incidents, specifying reporting methods, scope and content requirements. Furthermore, the Execution Group leads post-incident summaries, analyzing cybersecurity incidents from technical and managerial perspectives, developing corrective measures and identifying those responsible for security incidents resulting from individual violations and holding them accountable in accordance with the company’s internal policies. Our security, legal and internal audit departments also perform different functions with respect to cybersecurity management. The security department focuses on enhancing overall cybersecurity practices, offering cybersecurity-related training and education, and serves as the front-end cybersecurity implementation department.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The employees of the security department are all professionals with experience in network and information security. The head of the security department is also listed as a member of the Leadership Group. The head of the security department majored in computer science and has more than a decade of experience in network and information system security. Currently, the head of the security department is in charge of assessing, managing and disposing of our cybersecurity risks, organizing and administering our cybersecurity management team, and leading the implementation of our information technology architecture and construction. Prior to joining our company, he served as an information security director in a financial technology company and as a security engineer in an application security products and services technology company, and he was deeply involved in the establishment and management of network and information system security framework at these companies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents primarily through (i) the Leadership Group and the Execution Group, and (ii) our security, legal and internal audit departments.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef