|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Jun. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have established a cybersecurity program, informed by the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), that is designed to safeguard our information systems against cybersecurity threats. This program incorporates a variety of processes and cybersecurity tools designed to assess, identify and manage material risks from cybersecurity threats.
Those processes include automated and manual testing of our systems for vulnerabilities as well as monitoring and responding to suspicious activity. We use established cybersecurity risk frameworks to identify, measure and prioritize cybersecurity risks and develop corresponding cybersecurity controls and safeguards, and we have implemented a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents. Leveraging both internal and external resources, we conduct regular reviews and tests, including penetration testing as well as tabletop and red team exercises, to evaluate the effectiveness of our cybersecurity program, enhance our cybersecurity measures, and inform our planning. We periodically engage external auditors and consultants to assess our cybersecurity programs. We also maintain a risk-based approach to identifying and overseeing risks from cybersecurity threats associated with our use of third-party service providers.
In addition, we require Affirm employees to participate in cybersecurity awareness training. These training sessions are designed to enhance our employees’ awareness of cybersecurity threats and provide information about best practices to protect Affirm’s information systems. We require additional tailored cybersecurity training for certain employees based on their specific job responsibilities.
Our cybersecurity program is integrated with our overall risk management program through our Chief Information Security Officer’s (“CISO”) participation in governance structures such as the Risk Management Committee and Technology and Operational Risk Committee, and the incorporation of cybersecurity into the Company’s overall compliance and enterprise risk management programs.
As of the date of this Report, our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity program is integrated with our overall risk management program through our Chief Information Security Officer’s (“CISO”) participation in governance structures such as the Risk Management Committee and Technology and Operational Risk Committee, and the incorporation of cybersecurity into the Company’s overall compliance and enterprise risk management programs.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our Board of Directors has delegated authority to its Audit Committee to oversee risks associated with cybersecurity threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors has delegated authority to its Audit Committee to oversee risks associated with cybersecurity threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Members of the Audit Committee receive updates periodically from our CISO regarding cybersecurity risks. These updates include, among other topics, reviews of existing and newly identified cybersecurity risks, status updates on how management is addressing and/or mitigating those risks, information about cybersecurity incidents (if any), as well as updates regarding the status of key cybersecurity initiatives.
|Cybersecurity Risk Role of Management [Text Block]
|
Our CISO is principally responsible for assessing and managing our cybersecurity risk management program, in partnership with leaders from our Technology, Information Security, Internal Audit, Legal and Compliance teams. Such individuals have an average of over 20 years of prior work experience in various roles involving technology, information security, auditing and compliance. These individuals, including the CISO, are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, our CISO then makes periodic reports to the Audit Committee regarding such matters.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our CISO is principally responsible for assessing and managing our cybersecurity risk management program, in partnership with leaders from our Technology, Information Security, Internal Audit, Legal and Compliance teams.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Such individuals have an average of over 20 years of prior work experience in various roles involving technology, information security, auditing and compliance.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|These individuals, including the CISO, are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef