BRIGHTCOVE INC 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

BRIGHTCOVE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:12:45 EST.

Filings

10-K filed on 2024-02-22

BRIGHTCOVE INC filed an 10-K at 2024-02-22 16:12:45 EST
Accession Number: 0000950170-24-018770

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Processes for Assessing, Identifying, and Managing Material Risks from Cybersecurity Threats; Board of Directors Oversight of Risks from Cybersecurity Threats and Management s Role and Expertise in Assessing and Managing Material Risks from Cybersecurity Threats. Cyber Risk Management and Strategy Our Board and management team recognize the importance of assessing, identifying, and managing risks from cybersecurity threats. Our process for assessing, identifying and managing risks from cybersecurity threats is informed by 32 industry standards and includes internal cybersecurity risk assessments across our environment, and is supported by cybersecurity technologies, including automated tools, designed to monitor, identify, and address cybersecurity risks. We also have a process to assess and review the cybersecurity practices of new third-party vendors and service providers, including through established vendor requirements and risk assessments. This process also includes an annual re-assessment of critical third-party vendors and service providers. This risk management program addresses, for example, risks identified by internal audits and assessments, external testing, threat intelligence providers, internal stakeholders, vulnerability management programs, and security tools and alerting. An internal business security team manages and maintains remediation strategies for identified risks and reports on them regularly to senior leadership. We also regularly monitor the systems that contain personal data for internal and external threats to ensure confidentiality, availability, and integrity, and our incident response program contains controls to identify threats and alert us to suspicious activity. Internally, we prioritize proactivity as a critical component of our security practices and require that Brightcove employees participate in security training at least annually. We also distribute up-to-date information about the cybersecurity environment to increase awareness among employees. Additionally, as a public company, we evaluate our internal control over financial reporting in connection with Section 404 of the Sarbanes-Oxley Act, and our independent registered public accounting firm is required to attest to the effectiveness of our internal control over financial reporting. Although risks from cybersecurity threats have to date not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats and security incidents relating to our and our third party vendors information systems. For more information, please see the section titled Risk Factors included under Item 1A of this Annual Report on Form 10-K. Governance Related to Cybersecurity Risks Brightcove s cyber risk management program, incident response process, and related operations are directed by the Vice President of Business Security ( VP, Business Security ). Currently, the VP, Business Security role is held by an individual who has over ten years of experience in cybersecurity, infrastructure, and cloud security and holds CISA, CISM, CIPM, and CDPSE certifications. The VP, Business Security reports to the Chief Legal Officer and is a member of the Brightcove Business Security working group, which has overall responsibility for establishing and implementing Brightcove s cybersecurity strategy. Other members of the Brightcove Business Security working group include representatives from the product, security engineering, information technology, enterprise architecture and legal teams, who collectively have experience in cybersecurity, risk management, and compliance. The Board is involved in the oversight of risks that could affect the company and receives updates at least quarterly from senior management, and periodically from outside advisors, regarding the various risks that the company faces. The audit committee assists the Board in its review and assessment of our cybersecurity, data privacy, and data security policies, practices, and procedures protecting our information technology systems, data, products, and services across all business functions, and reports its findings to the Board. The audit committee has oversight over cybersecurity and related risks and concerns, and is responsible for interfacing with management and discussing with management the company s principal risk exposures and the steps management has taken to monitor and control risk exposures, including cybersecurity and data protection policies. The audit committee is also responsible for, and reports to the Board on, (i) obtaining and reviewing reports on data management, security initiatives, and significant existing and emerging cybersecurity risks, including material cybersecurity incidents, (ii) assessing the impact on Brightcove and its stakeholders of any significant cybersecurity incident, and (iii) any disclosure obligations arising from any such incidents. The VP, Business Security reports to the audit committee to review the organizational cybersecurity program, risks, and status through quarterly updates and biannual meetings.

Company Information