Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Mar. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical information systems. Our cybersecurity risk management program is integrated into our broader Information Security Management System (“ISMS”), which is designed to identify, assess and manage risks across the organization and to enhance our resilience and support the achievement of our strategic security objectives. Our cybersecurity risk management program includes a cybersecurity incident response plan and engagement of third-party cybersecurity experts who assist the organization with preparedness and on an as-needed basis. The audit committee of our board of directors oversees enterprise risk management as an integral and continuous part of its oversight role. Integrated into our overall enterprise risk management framework are processes dedicated to the identification, assessment and management of material risks from cybersecurity threats. Our approach to cybersecurity risk management is both proactive and defensive, and includes the following elements: • a team dedicated solely to cybersecurity and managed by our Chief Security Officer (“CSO”), who reports directly to our Chief Executive Officer. The CSO and his team are responsible for leading enterprise-wide cybersecurity strategy, policies, standards, architecture and processes. Our CSO has over 20 years of and cybersecurity and infrastructure experience, including serving as the Chief Information Security Officer (“CISO”) at Calendly, VP of Information Security and CISO at Ripple, and Senior Director of Enterprise Security at Salesforce. • a cybersecurity vulnerability assessment process that includes internal testing, as well as engagements with outside security researchers, for identification, evaluation and management of cybersecurity risks. For example, we conduct penetration tests, manage a bug bounty program, conduct table top and run red team/purple team exercises to evaluate the effectiveness of our ISMS and cybersecurity practices. • Our CSO and his team are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents in accordance with our defined Privacy and Security Incident Response plan, which is reviewed along with other plans relevant to our cybersecurity risk management on an annual basis. • an information technology request review process that includes cybersecurity assessments of third-party products and systems proposed to connect to our information systems environment or access our data. • a training program that includes updates on current security topics, including social engineering, phishing, password protection, protecting personal data, appropriate use of assets, and • an annual certifications program by an accredited third-party auditor for compliance with ISO/IEC 27001:2013 for an ISMS, ISO/IEC 27701:2019 for a patient information management system, as well as the requirements and control implementation guidance within ISO/IEC 27018:2019 for cloud computing. Cybersecurity Team and Strategy — The cybersecurity team, led by the CSO, is responsible for managing the day-to-day cybersecurity strategy of the organization, including oversight of our cybersecurity tools and controls to protect company assets. We have implemented an iterative and multi-layered cybersecurity strategy that incorporates both proactive review of the evolving cybersecurity threat landscape and reactive management of cybersecurity threats. Our proactive management of cybersecurity risks includes access limitations, data loss prevention programs, correction of potential cybersecurity risks, and programs for employee education regarding cybersecurity risks. Our reactive management of cybersecurity risks includes continuous logging and alerting, utilization of enterprise cybersecurity technology, and personnel dedicated to incident response. Third-Party and Vendor Management Review Processes — We have implemented processes to assess cybersecurity controls while on-boarding and managing third-party vendors. Additionally, we have implemented a process for annual review and enforcement of the cybersecurity controls for third-party vendors that provide essential services and/or store data that presents a business risk to us and/or our customers. Cybersecurity Incident Response Plan — In October 2023, we experienced a cybersecurity incident in which certain information of our users was accessed and downloaded from individual 23andMe.com accounts without the account users’ authorization. Following the Cyber Incident, we implemented changes to our information systems and processes to provide additional protections to our environment, including enhancements to our Security Operations, reset customer passwords, required two-step verification for new and existing customers, enhanced our detection tools and capabilities, and implementation of new tools and processes, among others. However, we continue to face a heightened risk of cybersecurity threats which may materially impact our operations. For more information about our cybersecurity related risks, see “We have experienced a criminal cyber incident and could in the future experience other security breaches, disruption to our business, or reputational harm” in Part 1, Item 1A, Risk Factors of this Form 10-K.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Our cybersecurity risk management program is integrated into our broader Information Security Management System (“ISMS”), which is designed to identify, assess and manage risks across the organization and to enhance our resilience and support the achievement of our strategic security objectives. Our cybersecurity risk management program includes a cybersecurity incident response plan and engagement of third-party cybersecurity experts who assist the organization with preparedness and on an as-needed basis. The audit committee of our board of directors oversees enterprise risk management as an integral and continuous part of its oversight role. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] | Cybersecurity Incident Response Plan — In October 2023, we experienced a cybersecurity incident in which certain information of our users was accessed and downloaded from individual 23andMe.com accounts without the account users’ authorization. Following the Cyber Incident, we implemented changes to our information systems and processes to provide additional protections to our environment, including enhancements to our Security Operations, reset customer passwords, required two-step verification for new and existing customers, enhanced our detection tools and capabilities, and implementation of new tools and processes, among others. However, we continue to face a heightened risk of cybersecurity threats which may materially impact our operations. |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Board Oversight — Our board of directors has identified the oversight of cybersecurity risks to be one of its priorities, and it receives regular reports from management, including the CSO, on various cybersecurity matters, including the security of the company’s information systems, anticipated sources of future material cyber risks and how management is addressing any significant potential vulnerability. The board’s audit committee reviews our cybersecurity program at least annually and receives regular updates on cybersecurity threats and other matters. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The board’s audit committee reviews our cybersecurity program at least annually and receives regular updates on cybersecurity threats and other matters. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The board’s audit committee reviews our cybersecurity program at least annually and receives regular updates on cybersecurity threats and other matters. In addition to regular updates to the audit committee, we have protocols by which we escalate certain cybersecurity incidents to the board and the audit committee.
|
| Cybersecurity Risk Role of Management [Text Block] | Management Oversight — We have implemented a cross functional ISMS governance committee that drives awareness and alignment across broad governance and stakeholder groups for effective cybersecurity risk management. The CSO and acting Data Privacy Officer (“DPO”) co-chair the ISMS Governance Committee. The ISMS Governance Committee acts in alignment with the Data Protection Governance Committee, another cross-functional governance committee, which provides strategic direction and oversight over the company’s program related to data protection. These governance committees have responsibility for oversight, resource allocation, capabilities and planning. Members of the ISMS committee review newly identified cybersecurity risks, evaluate the appropriate treatments, monitor the on-going status of risk remediation. The CSO and acting DPO regularly report to the audit committee on these matters.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | We have implemented a cross functional ISMS governance committee that drives awareness and alignment across broad governance and stakeholder groups for effective cybersecurity risk management. The CSO and acting Data Privacy Officer (“DPO”) co-chair the ISMS Governance Committee. The ISMS Governance Committee acts in alignment with the Data Protection Governance Committee, another cross-functional governance committee, which provides strategic direction and oversight over the company’s program related to data protection. These governance committees have responsibility for oversight, resource allocation, capabilities and planning. Members of the ISMS committee review newly identified cybersecurity risks, evaluate the appropriate treatments, monitor the on-going status of risk remediation. The CSO and acting DPO regularly report to the audit committee on these matters |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CSO has over 20 years of and cybersecurity and infrastructure experience, including serving as the Chief Information Security Officer (“CISO”) at Calendly, VP of Information Security and CISO at Ripple, and Senior Director of Enterprise Security at Salesforce. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The ISMS Governance Committee acts in alignment with the Data Protection Governance Committee, another cross-functional governance committee, which provides strategic direction and oversight over the company’s program related to data protection. These governance committees have responsibility for oversight, resource allocation, capabilities and planning. Members of the ISMS committee review newly identified cybersecurity risks, evaluate the appropriate treatments, monitor the on-going status of risk remediation. The CSO and acting DPO regularly report to the audit committee on these matters. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |