Etsy 2023 Annual Report Reveals New Risk Committee, Focus On Cybersecurity
Etsy reported Q4 2023 earnings yesterday with Gross Merchandise Sales down 1.4%, active buyers up 3% and increased revenue primarily driven by growth in Etsy ads and payments.
During the call, CEO Josh Silverman briefly mentioned the $15 shop onboarding fee and other initiatives announced yesterday to continue to "promote Etsy as a trusted marketplace", but he carefully framed the topic in terms of take rate and revenue, saying it will not have much of an impact as the bulk of those fees collected will be invested directly into this new seller onboarding initiative.
We estimate Q1 2024 take rate to be between 21% and 21.5%. This can be used to estimate revenue range for the quarter. Note that earlier today, we announced to our seller community that we are strengthening our new shop onboarding process to continuing to promote as trusted marketplace, including introducing a seller onboarding fee.
This initiative requires certain new technology investments, particularly for seller verification, so the net benefit to our margins will be nominal...
...And that, by the way, is not a big take rate driver. I think the revenue in that is going to be relatively small, but it's going to be good value exchange, making sure it's really secure to become a seller on Etsy.
And I think that's good for all of the sellers and the buyers on Etsy, and the fee we're charging is nominal. If it's not worth $15 to create a shop on Etsy, then maybe you're not committed enough to likely succeed on Etsy. But that's not a huge revenue driver.
CFO Rachel Glaser also touched on the new shop onboarding process, saying it creates "friendly friction" that can help with bad actors on the site.
Today, we launched the seller fee, which not only has the benefit of incremental take rate, which, by the way, completely is reinvested back in safety of the marketplace.
But it creates - did you call it friendly friction earlier? Friendly friction so that we create a little speed bump, for not just any seller can create a listing for $0.20 and some kind of product. It's a moment to think about, well, I'm going to have to make payments fee. And that helps us with bad actors on the site, so that we get both the benefits of that.
Etsy has increasingly come under fire in the last year for allowing illegal, counterfeit or policy violating goods to flood the marketplace, leading to changes in the enforcement of Etsy's handmade policy which legitimate sellers worry could harm their businesses if not implemented and executed well - which we saw when a technical glitch took down visibility of many best selling items in error during a "routine sweep" earlier this month.
Unfortunately, the bot dragnet often gets it wrong, harming legitimate sellers while allowing bad actors to remain, as clearly indicated by troubling reports that AI-generated celebrity deep-fake porn was not just allowed for sale on the site, but actively promoted by the company's recommendation and related searches features.
Etsy also been battling a massive wave of spam and scams targeting users with fake support links and other fraud attempts for months, leading to changes to how communication from Etsy appears in a user's messaging inbox as well as limiting access to the API for certain 3rd party applications and plans to cut off public visibility to most of the Etsy community forums.
Unfortunately, not only have the scams not stopped, Etsy's efforts to combat them often interrupt legitimate buyer and seller interactions on the platform, making it harder for real users to transact on the site.
The problem has gotten so bad, some users are starting to wonder if Etsy has much larger cybersecurity and safety issues than they are currently letting on.
Those questions and concerns would appear not to be unfounded as page 76 of Etsy's 10-K annual report filed with the SEC today includes a new section on "Cybersecurity Risk Management and Strategy" and reveals that the Board of Directors established a Risk Oversight Committee in December 2023.
In the report, Etsy goes to great lengths to tout the credentials of their Chief Technology Officer and Chief Information Security Officer as well as the company's efforts to manage and mitigate cybersecurity risks.
Given the importance of information security to our stakeholders, our Board or the committee of our Board of Directors responsible for assisting the Board of Directors with its oversight of cybersecurity risk receives regular reports from our CISO on cybersecurity-related matters, including the status of projects to strengthen our security systems and to improve our cyber threat readiness, as well as on the existing and emerging cyber threat landscape and our program for managing these security risks.
In addition, our CISO has direct access to the chair of the committee of our Board of Directors overseeing cyber-related risks and is expected to keep that committee apprised of any significant developments that may emerge between scheduled meetings that may require the attention of the Board or relevant committee.
The Risk Oversight committee will oversee Etsy’s management of risk exposure, which had previously been under the purview of the Audit Committee, and will also be responsible for oversight of management’s processes for effectively monitoring and mitigating risk.
Cybersecurity Governance
Our Board and our Board Committees are actively engaged in the oversight of our information security program. Before the establishment of our Risk Oversight Committee, our Audit Committee assisted our Board of Directors with its oversight of risks associated with Etsy’s technology and information security policies and practices, the internal controls relating to information security, and the steps taken by management to identify, monitor, and control any risk exposures.In December 2023, our Board approved the formation of a Risk Oversight Committee to assist the Board with its oversight of Etsy’s management of risk exposures, including oversight of technology and information security related risks (which responsibility will move from the Audit Committee to the Risk Oversight Committee), as well as oversight of management’s processes for effectively monitoring and mitigating risk.
The charter for the Risk Oversight Committee lists the specific responsibilities it will be tasked with, indicating Etsy is feeling increasing pressure to address the serious issues of counterfeit and illegal goods as well as scams and cybersecurity issues on the platform.
The following risks will be overseen by the Committee:
- Technology and information security related risks, including cyber security risks and related disclosure requirements, and risks posed by artificial intelligence and machine learning models;
- Regulatory and compliance risks, including, inter alia, marketplace regulation, data protection and privacy, corporate compliance,and regulatory change management;
- Marketplace risks, including content moderation, intellectual property and anti-counterfeit programs, marketplace fraud, product safety, and financial crime;
- Operational resilience risks, inclusive of third-party and supplier risks; and
- Payments operations and payments risks.
These changes come as Etsy welcomes a new member to the board earlier this month with notorious activist investor Elliott Management taking a 13% stake in the company.
If that name sounds familiar, you may remember the infamous Enhancing eBay letter Elliott Management published aimed at eBay CEO Devin Wenig calling for substantial changes at the company in 2019.
While Elliott's relationship with Etsy has so far been less confrontational than other activists plays they've made in the past, their increasing involvement and influence will surely add even more pressure on Silverman to address some of the serious issues facing the company - including counterfeit and illegal or policy violating items, scams targeting buyers and sellers using Etsy's platform, and cybersecurity and information security concerns.
Do you think Etsy is doing enough to manage cybersecurity risks, protect users from scams, and police counterfeit, illegal or policy violating goods on the platform? Let us know in the comments below!