|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
At SoFi, we recognize the importance of information security practices designed to protect the confidentiality, integrity, and availability of company information and the personal information that our customers share with us. Using guidance set forth in our Enterprise Risk Management program, we have implemented a cybersecurity risk management program to lead and support the management of information security risks in accordance with our risk profile and business strategy, which is informed by recognized industry standards and frameworks, such as International Organization for Standardization 27002:2013. For additional guidance, we also refer to the National Institute of Standards and Technology Cybersecurity Framework, Payment Card Industry Data Security Standard, Federal Financial Institutions Examination Council information security guidelines, and Center of Internet Security controls.
Our cybersecurity risk management program includes a number of components, designed to identify, analyze, and respond to cybersecurity risks, including reliance on a layered system of preventative and detective technologies, controls, and policies designed to detect, mitigate, and contain cybersecurity threats. Information security program risk assessments and third party attestations and assessments are conducted periodically by both internal and external resources. We leverage qualified third-party security assessors to identify vulnerabilities through both internal and external penetration tests and perform internal cybersecurity maturity assessments. In addition, our internal audit team conducts information security and information technology audits on an annual basis. We are also subject to examinations by applicable regulators. We conduct cybersecurity awareness training for personnel upon hire and on a periodic basis thereafter, which includes phishing training campaigns.
As part of our cybersecurity risk management program, SoFi maintains a formal Third-Party Security Risk Management program that provides oversight of cybersecurity risks related to supplier relationships. During supplier onboarding, we perform risk-based due diligence for suppliers with access to confidential SoFi information or that require technical integration with SoFi systems. This program includes the provision of a cybersecurity risk assessment to these suppliers during onboarding as well as ongoing monitoring, assessment, and contract review.
We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For more information on risks to us from cybersecurity threats, see “Cyberattacks and other security incidents and compromises could have an adverse effect on our business, harm our reputation and expose us to liability and adversely affect our ability to collect payments and maintain accurate accounts. Efforts to prevent and respond to these attacks and incidents are costly” in Part I, Item 1A. “Risk Factors—Information Technology and Data Risks”.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|At SoFi, we recognize the importance of information security practices designed to protect the confidentiality, integrity, and availability of company information and the personal information that our customers share with us. Using guidance set forth in our Enterprise Risk Management program, we have implemented a cybersecurity risk management program to lead and support the management of information security risks in accordance with our risk profile and business strategy, which is informed by recognized industry standards and frameworks, such as International Organization for Standardization 27002:2013.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Board of Directors has overall responsibility for risk oversight and has delegated oversight of our cybersecurity program to the Risk Committee, which is comprised of a minimum of three Board members.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors has overall responsibility for risk oversight and has delegated oversight of our cybersecurity program to the Risk Committee, which is comprised of a minimum of three Board members. The Risk Committee is responsible for the information technology and cybersecurity function at the Company. Relevant duties include, but are not limited to, annually reviewing Cybersecurity’s prior year performance and the upcoming program roadmap, and approving the cybersecurity program. The Risk Committee meets at least four times each year and discusses cybersecurity risk management as relevant and applicable.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The CISO provides cybersecurity updates, including risks and threats to the Risk Committee as appropriate, on a quarterly basis.
|Cybersecurity Risk Role of Management [Text Block]
|The Risk Committee is responsible for the information technology and cybersecurity function at the Company. Relevant duties include, but are not limited to, annually reviewing Cybersecurity’s prior year performance and the upcoming program roadmap, and approving the cybersecurity program. The Risk Committee meets at least four times each year and discusses cybersecurity risk management as relevant and applicable.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Risk Committee is responsible for the information technology and cybersecurity function at the Company. Relevant duties include, but are not limited to, annually reviewing Cybersecurity’s prior year performance and the upcoming program roadmap, and approving the cybersecurity program. The Risk Committee meets at least four times each year and discusses cybersecurity risk management as relevant and applicable. Our CISO has primary responsibility for assessing and managing our cybersecurity program.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO has served in this role at SoFi for four years and has over twenty years of experience working in senior leadership positions in the cybersecurity industry. He previously served as the CISO at leading software and data analytics companies and co-founded a cybersecurity company.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The CISO provides cybersecurity updates, including risks and threats to the Risk Committee as appropriate, on a quarterly basis.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef