CLARIVATE PLC 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

CLARIVATE PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 06:04:00 EST.

Filings

10-K filed on 2024-02-27

CLARIVATE PLC filed an 10-K at 2024-02-27 06:04:00 EST
Accession Number: 0001764046-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy At Clarivate, cybersecurity risk management is an integral part of our Enterprise Risk Management program. Because we are a global information services provider, our business is highly dependent on the protection of our proprietary software and content, as well as the timeliness, accuracy, and availability of our offerings. Consequently, we are highly sensitive to risks from cybersecurity threats to our information systems, particularly those threats that would affect our ability to continue to provide real-time access to our database content and analysis. To mitigate these threats, we utilize the following processes and governance structure. Our Information Security Risk Management program is based on recognized industry governance frameworks, including the International Organization for Standardization. It provides a framework to identify, assess, and control cybersecurity threats and incidents. We perform an annual information security risk assessment with the assistance of independent security companies, with the aim to embed information security principles and objectives into our culture, business operations, and support functions. Our cybersecurity efforts also include mandatory information security awareness training for all employees, clearly defined expectations for acceptable use policies, and certification of adherence to a code of conduct. The IT Governance, Risk, and Compliance ( IT GRC ) team conducts periodic audits to evaluate policy and regulatory compliance, recording findings for subsequent review and remediation initiatives. We also leverage internal and external security subject matter experts to conduct comprehensive risk assessments, including architecture reviews, vulnerability scans, penetration tests, application security evaluations, and technical compliance reviews. We maintain a security threat intelligence system that collects and analyzes data from internal vulnerability management tools, vendors, and third-party security organizations. Our patch management standard is designed to ensure that appropriate patching practices are consistently applied to our technology infrastructure, and a Security Operations Center enhances our real-time awareness, event correlation, and incident response capabilities. 21 As part of our risk management program, we also assess cybersecurity risks associated with third-party service providers. We have processes in place to oversee and identify material risks from cybersecurity threats associated with our engagement of such providers, including the use of cybersecurity risk criteria when determining the selection and oversight of those service providers. Cybersecurity Governance The Board of Directors, acting directly and through its committees, is responsible for the oversight of our risk management programs. The Board s Risk & Sustainability Committee has the delegated responsibility for the oversight of key enterprise risks, including risks from cybersecurity threats. The committee also provides oversight of our policies and processes for monitoring and mitigating such risks. Among other duties, the Risk & Sustainability Committee receives and reviews periodic reports from management pertaining to cybersecurity programs and data protection controls, as well as other information security reports that the committee deems appropriate. The committee meets at least quarterly, and the chair of the committee gives regular reports to the Audit Committee and the full Board of Directors on its activities. Management is responsible for day-to-day risk management activities, including those relating to information systems and cybersecurity. We employ an internal chief information security officer ( CISO ) who has more than 25 years of technology industry leadership, cybersecurity expertise, and engineering and operations experience. Our CISO and his team of certified security subject matter experts (collectively, Information Security ) have deep experience and expertise in cybersecurity and lead our organizational efforts to assess and manage material risks associated with our information systems and cybersecurity threats. Our dedicated Information Security Steering Committee regularly reviews our most significant information security risks, strategic projects, and KPIs. On a quarterly basis, Information Security also meets with business segment leadership to discuss the most significant risks, including identifying potentially material risks and developing, implementing, and applying reasonable risk mitigation processes. Our risk management programs are developed, implemented, managed, and reviewed at the direction of Information Security and business segment leaders, with subsequent actions determined based on the results of these preventive and detective controls. We have implemented incident response procedures that define our approach when potential security incidents are identified, with clear definition of the escalation path, including when notification to the Risk & Sustainability Committee is required. Depending on the assessed severity of the incident, the Risk & Sustainability Committee may be notified immediately or at its next regularly scheduled meeting.

Company Information