MediaAlpha, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

MediaAlpha, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 14:03:12 EST.

Filings

10-K filed on 2024-02-22

MediaAlpha, Inc. filed an 10-K at 2024-02-22 14:03:12 EST
Accession Number: 0001818383-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk management and strategy Our technology platform and other information systems are subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal risk, and reputational risk. We have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. Our cybersecurity program is aligned with industry standards and best practices. We are currently pursuing a SOC 2 Type 2 Report, and are working to achieve compliance with the National Institute of Standards and Technology ( NIST ) 800-171 Cybersecurity Framework. We have strategically integrated cybersecurity risk management into our broader Enterprise Risk Management Plan to promote a company-wide culture of cybersecurity risk management. An analysis of the potential threat facing the organization tempered with the level of vulnerability to that threat is used to determine the likelihood of risk. We use various tools and methodologies to manage cybersecurity risk that are tested on a regular cadence and at least annually. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, penetration tests and threat intelligence feeds. We generally require third-party service providers with access to personal, confidential or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices. We use third-party service providers to assist us from time to time to identify and monitor material risks from cybersecurity threats, including legal counsel and other professional services firms, threat intelligence services, and cybersecurity consultants. We are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. Governance The Board of Directors are acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Audit Committee of the Board has the primary responsibility to oversee effective governance in managing risks associated with cybersecurity threats. Our Audit Committee is composed of members with diverse expertise, including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. Our cybersecurity program is managed by a dedicated Chief Information Security Officer ( CISO ) with over 25 years of experience, who has held leadership roles during his career managing cybersecurity, information compliance and governance, privacy programs, and risk remediation. The CISO holds several certifications in cybersecurity-related areas, including Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC) and Certified Information Systems Auditor (CISA). The CISO, General Counsel, and the Chief Financial Officer ( CFO ) play a critical role in informing the Audit Committee on cybersecurity risks. They provide comprehensive briefings to the Audit Committee, generally on a quarterly basis but at least annually, which encompass a broad range of topics, including: Current cybersecurity landscape and emerging threats; Status of ongoing cybersecurity initiatives and strategies; Incident reports and learnings from any cybersecurity events; and 47 Table of Contents Compliance with regulatory requirements and industry standards. The Audit Committee also conducts an annual review of the Company s cybersecurity posture and the effectiveness of its risk management strategies. In the event of a cybersecurity incident, the CISO is equipped with a well-defined cyber crisis response plan. This plan includes assigning of the roles and duties of the crisis management team, immediate actions to mitigate the impact of the incident, and long-term strategies for remediation and prevention of future incidents. All incidents are reported to the Security Steering Committee, and events that may result in a material loss are additionally reported to the Audit Committee and evaluated for public disclosure as well as disclosure to the appropriate authorities. The Audit Committee oversees management s remediation actions relating to such events, and approves management s assessment of the materiality of the event to the Company.

Company Information