Criteo S.A. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Criteo S.A. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 07:09:20 EST.

Filings

10-K filed on 2024-02-23

Criteo S.A. filed an 10-K at 2024-02-23 07:09:20 EST
Accession Number: 0001576427-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overview Criteo recognizes the critical importance of maintaining the safety and security of our systems and data and has a holistic process for overseeing and managing cybersecurity and related risks. Our security program is led by our Chief Information Security Officer ( CISO ), who reports directly to our Chief Technology Officer ( CTO ), who is responsible for managing cybersecurity risks as well as protecting our networks and systems. Our CISO has extensive information technology and program management experience, and has served many years in our corporate information security organization. Our CISO manages our security organization, which is composed of dedicated teams of experts in security engineering, incident response, compliance, and software development. Governance Our Board of Directors is primarily responsible for the oversight of our risk management activities and has delegated to the Audit Committee the responsibility to assist in this task. 39 The Audit Committee regularly reviews and discusses with management and, as appropriate, the Company s auditors, the Company s guidelines and policies with respect to risk assessment and risk management, including the Company s data privacy and cybersecurity risk exposures and the steps taken to monitor and manage those exposures. The CISO helps maintain a comprehensive security program that serves as a governance framework for information security at Criteo, supports the business goals of the company and details, across problem spaces and security core functions, the various initiatives, their scope, the associated risks and weaknesses, the roadmap and the current progress. Criteo assesses and manages its cybersecurity risks in part through executive committees. The Governance Risk and Compliance Committee (the GRCC ), composed of the CISO and certain members of our executive and leadership teams, meets several times a year to discuss strategic information security matters including the security program, major risks and incidents and significant key performance indicators ( KPIs ). The Information Security Committee (the ISC ), a security-focused governance body including senior managers across the Company on information security activities, meets regularly to receive updates on KPIs and to review relevant standards and policies. As a member of both the GRCC and the ISC, the CISO briefs the Audit Committee on the information security program, major risks and any cybersecurity incidents, typically at least annually. Additionally, cybersecurity risks are reported to the Board of Directors, at least annually, as part of Criteo s enterprise risk mapping ( ERM ) program. Quality Control of Security To help ensure that our security program functions in line with industry expectations, Criteo invests in identifying and remediating gaps in our security posture. To accomplish this, we use a mix of our internal expertise and external third-party expertise, as needed, to audit ourselves against industry standards, such as the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, International Organization Standardization 27001 Information Security Management System Requirements ( ISO27001 ) and the American Institute of Certified Public Accountants Service Organization Control Type 2 ( AICPA SOC 2 ). Various parts of our business maintain independently assessed security certifications, and we also run certification programs to expand the scope of our existing security certifications. Risk Management Our security team has several touch points within the business in order to adequately address and mitigate risks. Our technical security teams use a combination of threat intelligence tools, defensive tools and proactive testing to detect vulnerabilities and respond. Our technical security teams also build new tools and solutions in an effort to improve our security posture on an ongoing basis. Our security compliance teams perform third-party risk assessments, respond to client inquiries about security, help the business to manage our security controls, and translate our external requirements into policies, standards, and actions for the rest of our business. Various parts of our team also participate in risks assessments during project kick-offs. With regards to third-party risk assessments, our process involves assessing how third parties interact and connect with our information systems and our data, assessing the security of the third-party (including through questionnaires), and obtaining independent proofs of security (including via security certification and/or penetration tests) depending on the associated level of risk, as evaluated by our team. Our procurement teams also run checks to ensure vendors are not sanctioned, or otherwise identified as potentially corrupt. The process of assessing, identifying and managing cybersecurity related risks is integrated into our overall ERM via a dedicated Information Security Risk Management program that is focused on cybersecurity risk and run by our security compliance team. Risks that are identified through our security processes go through a process of analysis, prioritization, treatment and monitoring. During the lifecycle of cybersecurity specific risks, risk owners, working alongside the security compliance team, are assigned to develop risk mitigation plans, which are followed by the team until a risk is sufficiently mitigated or resolved, at which point such risk reaches a monitoring state. Cybersecurity risks are aggregated into strategic business risks and incorporated into the ERM program. Cybersecurity Incidents While we have experienced cybersecurity incidents in the past, there have been none to date which have materially affected, or are reasonably likely to materially affect, the Company, our financial position, results of operations and/or cash flows. We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. 40 For more information regarding the risks we face from cybersecurity threats, please see Item 1A. Risk Factors Risks Related to Data Privacy, Intellectual Property and Cybersecurity.

Company Information