Dun & Bradstreet Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Dun & Bradstreet Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 17:11:32 EST.

Filings

10-K filed on 2024-02-22

Dun & Bradstreet Holdings, Inc. filed an 10-K at 2024-02-22 17:11:32 EST
Accession Number: 0001799208-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity At Dun & Bradstreet, we are committed to identifying, categorizing, evaluating, managing, and mitigating risks related to our data, technology, and operations through our enterprise risk management ( ERM ) program, our cybersecurity ( Cyber ) program, and our compliance and ethics ( C&E ) program. Our ERM, Cyber, and C&E programs continuously coordinate on vulnerability, threat, and risk monitoring and periodic reporting to provide a comprehensive view of evolving cybersecurity risks. Through these programs, we evaluate risks at various levels ranging from systems, applications, processes, products, and analytics, to incidents, and macro and aggregate risks in the environment and ecosystems in which we operate. We also utilize this risk-based approach to assess, identify and manage risks from cybersecurity threats associated with third parties with whom we do business, including those that provide services, systems, and data processing. We apply consistent methodologies to evaluate inherent and residual risk levels to identify and prioritize management of our highest risks, including material cybersecurity risks. We utilize our risk management processes to prioritize our annual Cyber workplans, including monitoring and internal audit and external assurance reviews, such as our SOC 2, Type 2 Independent Service Auditor’s Report on controls relevant to security, availability, and confidentiality, and our participation in the TRUSTe Data Privacy Framework verification program. We have engaged an industry-leading cybersecurity firm to conduct a cyber threat profile that addresses not only our immediate environment, but also the broader cyber threat landscape and threat actors that may be targeting our industry or the geographic locations in which we operate. We actively participate in several global and regional trade and policy associations, think tanks, and professional organizations related to cybersecurity, information policy, privacy, and artificial intelligence to maintain timely insights on rapidly evolving cybersecurity and data risks affecting our business. We take a holistic approach to identification, mitigation and management of cybersecurity and data risks through governance and compliance processes integrated across our Cyber program and our C&E program. These processes include integrated policies, risk assessments, impact assessments, third party reviews and monitoring, incident response, and external certification programs such as ISO 27001: Information Security Management Systems, ISO 27701: Privacy Information Management Systems, and APEC Cross-Border Privacy Rules System. We recognize that our first line of defense is our employees and we incorporate cybersecurity awareness education in our annual Code of Conduct and Ethics training program to ensure our employees understand their roles in safeguarding against potential cyber threats. We have established an Enterprise Risk Committee, which is led by our Chief Risk Officer and includes our executive management team, our Chief Cybersecurity and Technology Risk Officer, our Chief Ethics and Compliance Officer, and our Head of Internal Audit, for the purpose of monitoring the Company’s identification, assessment, mitigation and management of enterprise risks, including cybersecurity risks. Our Chief Risk Officer, Chief Cybersecurity and Technology Risk Officer and Chief Ethics and Compliance Officer each report to the Enterprise Risk Committee on relevant cyber and data risks, controls, and progress against action plans on at least a quarterly basis, and work in coordination with cross-functional teams to oversee our information security strategy and work collaboratively with business leaders across the organization to assess, identify, and manage risks from cybersecurity threats, and to address cybersecurity incidents globally when they arise. With respect to incident response, we maintain a global incident and breach response program coordinated by our Chief Cybersecurity and Technology Risk Officer and our Chief Ethics and Compliance Officer. Our incident and breach response program follows requirements of applicable laws and recognized frameworks, such as those established by ISO and the U.S. National Institute of Standards and Technology, and applies a risk-based approach across six phases comprised of (i) 34 Table of Contents preparation, (ii) detection, (iii) reporting and escalation, (iv) analysis and evaluation, (v) response, and (vi) post-incident activities. Our ERM program is led by our Chief Risk Officer, who reports to our Chief Executive Officer. Our Cyber program is led by our Chief Cybersecurity and Technology Risk Officer, who reports to our Chief Technology Officer. Our C&E program is led by our Chief Ethics and Compliance Officer, who reports to our Chief Legal Officer. The collective relevant cybersecurity experience and expertise of the persons holding the positions of Chief Risk Officer, Chief Cybersecurity and Technology Risk Officer, and Chief Ethics and Compliance Officer is over 75 years, and includes multiple information security and privacy professional certifications, and various pan-industry leadership roles related to cybersecurity and data risks. Our board of directors oversees risk directly and through its committees. Our audit committee is responsible for oversight of our policies and practices with respect to risk assessment and risk management including our cybersecurity and ERM programs. At each regular meeting of the audit committee of our board of directors, our Chief Risk Officer, Chief Cybersecurity and Technology Risk Officer and Chief Ethics and Compliance Officer each report on risks, controls, and risk mitigation actions to address existing and emerging cybersecurity and data risks, any incidents, and progress against the Company s cybersecurity strategic roadmap. The audit committee provides guidance and feedback to management on areas of focus to continuously improve the programs and to mitigate our evolving risks. Our audit committee chairman reports on these discussions and other matters to our board of directors on a quarterly basis. We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our overall business strategy, results of operations, or financial condition over the long term. See Item 1A. Risk Factors Data security and integrity are critically important to our business, and cybersecurity incidents, including cyberattacks, breaches of security, unauthorized access to or disclosure of confidential information, business disruption, or the perception that confidential information is not secure, could result in a material loss of business, regulatory enforcement, substantial legal liability and/or significant harm to our reputation. for more information about these and other risks related to information security.

Company Information