INTEGRAL AD SCIENCE HOLDING CORP. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

INTEGRAL AD SCIENCE HOLDING CORP. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:17:31 EST.

Filings

10-K filed on 2024-02-27

INTEGRAL AD SCIENCE HOLDING CORP. filed an 10-K at 2024-02-27 16:17:31 EST
Accession Number: 0001842718-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain a comprehensive technology and cybersecurity program designed to ensure our systems are effective and prepared for information security risks. This includes regular oversight of our programs for security monitoring for internal and external threats to maintain the confidentiality and integrity of our information assets. We have a formal, risk-based and enterprise-wide risk assessment program, which incorporates the assessment of security risk exposures, including cybersecurity risks. Security starts for our system at the edge of the network. We then build security deeper into the system resulting in interlocking layers designed to strengthen each other. Our information security management system is based upon industry leading frameworks, including ISO 27001. ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization s overall business risks. It specifies the requirements for the implementation of security controls customized to the needs of individual organizations and addresses confidentiality, access control, vulnerability, business continuity, and risk assessment. 59 Table of Contents In addition, our cybersecurity program includes the implementation of controls aligned with industry guidelines and applicable statutes and regulations to identify threats, detect attacks and protect these information assets. We have implemented security monitoring capabilities designed to alert us to suspicious activity and developed an incident response program that includes periodic testing and is designed to restore business operations as quickly and as orderly as possible in the event of a breach. Our information security team conducts annual information security awareness training for employees involved in our systems and processes that handle customer data and enhanced training for specialized personnel. Additionally, our information security team conducts internal annual audits of our systems. Our program includes annual review and assessment by external, independent third-parties, who evaluate and report on our internal incident response preparedness, adherence to best practices and industry frameworks, compliance with applicable laws and regulations, and help with identifying areas for continued focus and improvement. We perform penetration tests and an independent audit every quarter to ensure our systems are secure. We also carry general liability insurance coverage and coverage for errors and omissions that is expected to provide protection against certain potential losses arising from a cybersecurity incident. However, such insurance may not be sufficient to cover all of our potential losses and may not continue to be available to us on acceptable terms, or at all. Policies and processes are also in place to ensure review and identification of risks from cybersecurity threats associated with third-party service providers and vendors. Cybersecurity reviews are required prior to initiating any engagements with third-party service providers and vendors who receive access to IAS systems and infrastructure. Additionally, recurring annual audits of such critical third-party service providers and vendors are completed by our Information Security team. Certain of our data processing equipment is housed in third-party commercial data centers or on servers owned and operated by cloud-based service providers. We generally enter into service level agreements with these parties that include provisions for the implementation and operation of effective security controls at the third-party organizations. We have experienced, and may in the future experience, whether directly or through our third party providers, cybersecurity incidents. While prior incidents have not had a material impact on us, future incidents could have a material impact on our business strategy, results of operations, and financial condition. For additional information about our cybersecurity risks, please refer to Risks Related to Intellectual Property and Technology in Item 1A, Risk Factors. Governance The Board of Directors oversees the Company s information security program that institutes and maintains controls for the systems, applications, and databases of the Company and of its third-party providers and has delegated primary oversight of cybersecurity risks to the Audit Committee, which monitors the steps our management has taken to monitor and control exposures, including guidelines and policies to govern the process by which risk assessment and management is undertaken. Our Chief Information Officer (CIO) and Chief Information Security Officer (CISO) lead our cybersecurity program in collaboration with the Company s business functions. The CIO or CISO present updates to the Audit Committee quarterly and, as necessary, to the full Board. These regular reports include updates on the Company s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The CIO also promptly informs and updates the Audit Committee and the Board about any information security incidents that may pose significant risk to the Company. The Company s program is periodically evaluated by external experts, and the results of those reviews are reported to the Audit Committee and the Board as necessary. To more effectively prevent, detect and respond to information security threats, the Company maintains a cybersecurity program, which is supervised by the CIO whose team, including the CISO, is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. Additionally, the CIO chairs the Information Security Management Committee, which is made up of senior leaders from our Information Security, Compliance, Engineering, Technical Operations, Incident Management, Corporate IT, and Human Resources teams. This committee meets quarterly and drives awareness, ownership and alignment across broad governance and risk stakeholder groups for effective cybersecurity risk management and reporting. 60 Table of Contents Our CIO has over 30 years of experience in technology. He was appointed as our CIO in January 2022, after serving as SVP Enterprise Systems for approximately five years. Prior to that, he was Global Head of Business Systems & IT at LivePerson for approximately six years. Our CIO is certified by Oxford University for Cybersecurity for Business Leaders. Our CISO has over 25 years of technology experience, with over 15 years of Information Security management experience. He was appointed as our CISO in March 2021, after serving as Director Security for approximately 2 years. Prior to that, he worked at GEP Worldwide as a Director of Security and Infrastructure Technology Management for approximately two years. Our CISO is certified for Certified Information Systems Security Professional (CISSP), and Certified Cloud Security Professional (CCSP).

Company Information