XML 46 R31.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Chegg and its Board of Directors (the “Board”) recognize the critical importance of maintaining the trust and confidence of our students, business partners, and employees. We have established an Information Security and Governance Program (“ISP") utilizing the National Institute of Standards and Technology Cybersecurity Framework as an authoritative source of cybersecurity standards and framework for measurement. The ISP is comprised of the following components: (i) policies which describe the core requirements and design aspects of the program, (ii) standards that provide quantifiable and prescriptive requirements to meet the program's design, (iii) processes that provide operational requirements to meet the ISP's policies and standards consistently, and (iv) implementation playbooks which are created, maintained, and used by the respective team responsible for implementation.

The ISP has three core functions underlying its design, which are intended to provide Chegg with appropriate oversight and governance to execute, monitor, measure and report on the performance of the program in a consistent manner:

management (control owners) have a responsibility to own and manage risks associated with day-to-day operations, including the design, implementation, and ongoing operation of controls;
compliance and cybersecurity teams enable the identification of emerging risks in daily operation of our business, providing compliance and oversight in the form of frameworks, policies, tools, and techniques to support management; and
independent assessors provide objective evaluation by assessing whether the first and second functions above are operating successfully, providing assurance that controls are effective in both design and operation.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] We have established an Information Security and Governance Program (“ISP") utilizing the National Institute of Standards and Technology Cybersecurity Framework as an authoritative source of cybersecurity standards and framework for measurement. The ISP is comprised of the following components: (i) policies which describe the core requirements and design aspects of the program, (ii) standards that provide quantifiable and prescriptive requirements to meet the program's design, (iii) processes that provide operational requirements to meet the ISP's policies and standards consistently, and (iv) implementation playbooks which are created, maintained, and used by the respective team responsible for implementation.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] The Audit Committee of the Board (the “Audit Committee”) provides independent oversight of the ISP. As a component of the ISP, the Audit Committee receives a report on the health and performance of the ISP on at least an annual basis. The Audit Committee provides guidance and oversight to help ensure the ISP meets the needs of all interested parties and fulfills its core functions.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee of the Board (the “Audit Committee”) provides independent oversight of the ISP. As a component of the ISP, the Audit Committee receives a report on the health and performance of the ISP on at least an annual basis. The Audit Committee provides guidance and oversight to help ensure the ISP meets the needs of all interested parties and fulfills its core functions.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee of the Board (the “Audit Committee”) provides independent oversight of the ISP. As a component of the ISP, the Audit Committee receives a report on the health and performance of the ISP on at least an annual basis. The Audit Committee provides guidance and oversight to help ensure the ISP meets the needs of all interested parties and fulfills its core functions.
Cybersecurity Risk Role of Management [Text Block]
Our Trust and Security organization (“T&S”) is responsible for implementing the ISP. T&S is led by our Chief Information Security Officer (“CISO”), Lonnie Benavides, who reports to our Chief Technology Officer (“CTO”), Chuck Geiger. T&S is made up of two sub-teams, each led by a director who reports to the CISO:

Information Security, which is responsible for implementing all aspects of the ISP and is structured around the following pillars: (i) Application Security, (ii) Infrastructure (Cloud) Security, (iii) Corporate IT Security, (iv) Security Operations, and (v) Governance and Risk Management.
Compliance and Privacy, which is responsible for assessing and preparing internal teams for regulatory compliance pertaining to information security, secured financial reporting, and privacy and is structured around the following pillars: (i) Privacy, (ii) Compliance, (iii) Vendor Risk Management, and (iv) Security Awareness.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
Our Trust and Security organization (“T&S”) is responsible for implementing the ISP. T&S is led by our Chief Information Security Officer (“CISO”), Lonnie Benavides, who reports to our Chief Technology Officer (“CTO”), Chuck Geiger. T&S is made up of two sub-teams, each led by a director who reports to the CISO:

Information Security, which is responsible for implementing all aspects of the ISP and is structured around the following pillars: (i) Application Security, (ii) Infrastructure (Cloud) Security, (iii) Corporate IT Security, (iv) Security Operations, and (v) Governance and Risk Management.
Compliance and Privacy, which is responsible for assessing and preparing internal teams for regulatory compliance pertaining to information security, secured financial reporting, and privacy and is structured around the following pillars: (i) Privacy, (ii) Compliance, (iii) Vendor Risk Management, and (iv) Security Awareness.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
Mr. Benavides joined Chegg in 2024 and has served various roles in information technology and security for over 25 years, including serving as CISO of a mortgage servicing company prior to joining Chegg. Mr. Benavides holds an undergraduate degree in Information Technology with a specialization in Information Assurance and Security and was a distinguished graduate of the US Air Force Secure Communications school. Mr. Geiger holds an undergraduate degree in computer science and has served in various roles in information technology for over 30 years, including serving as either the CTO or Executive Vice President of Technology of four companies prior to joining Chegg. Our CEO, CFO and General Counsel each hold degrees in their respective fields, and each have over 20 years of experience managing risks at Chegg and other companies, including risks arising from cybersecurity threats.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
Our Trust and Security organization (“T&S”) is responsible for implementing the ISP. T&S is led by our Chief Information Security Officer (“CISO”), Lonnie Benavides, who reports to our Chief Technology Officer (“CTO”), Chuck Geiger. T&S is made up of two sub-teams, each led by a director who reports to the CISO:

Information Security, which is responsible for implementing all aspects of the ISP and is structured around the following pillars: (i) Application Security, (ii) Infrastructure (Cloud) Security, (iii) Corporate IT Security, (iv) Security Operations, and (v) Governance and Risk Management.
Compliance and Privacy, which is responsible for assessing and preparing internal teams for regulatory compliance pertaining to information security, secured financial reporting, and privacy and is structured around the following pillars: (i) Privacy, (ii) Compliance, (iii) Vendor Risk Management, and (iv) Security Awareness.

T&S also partners with other dedicated teams which report to our CTO:

Operations and Analytics, which is responsible for identifying and measuring consumer fraud and abuse of our customer-facing services, implementing manual and automated operations to ensure these are within acceptable bounds, and working with our product and engineering teams to design and implement longer term solutions.
Security and Fraud Engineering, which is responsible for building libraries, services, and integrations that interface with both backend and vendor systems to support the objectives of T&S.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true