Nerdy Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Nerdy Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:02:57 EST.

Filings

10-K filed on 2024-02-27

Nerdy Inc. filed an 10-K at 2024-02-27 16:02:57 EST
Accession Number: 0001819404-24-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Our Board of Directors, recognizing the importance of maintaining the trust and confidence of our Learners, Experts, Institutional customers, clients, business partners, and employees, has delegated oversight of our cybersecurity risk management to the Audit Committee. Our cybersecurity policies, standards, processes, and practices have been established as part of our risk management program and are based on recognized frameworks, including as adopted by the National Institute of Standards and Technology (the NIST ). In general, we seek to address cybersecurity risks through a cross-functional approach focused on preserving the confidentiality, security, and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Our cybersecurity program focuses on these key areas: Governance : The Audit Committee has oversight of cybersecurity risk management and regularly interacts with our Chief Technology Officer ( CTO ) and other members of management. Education and Awareness : We provide regular, mandatory training for personnel regarding cybersecurity threats to equip them with effective tools to address and mitigate cybersecurity threats, and to communicate our information security policies, standards, processes, and practices. Cross-Functional Approach : We have adopted a cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Third-Party Risk Management : We have adopted a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Technical Safeguards : We deploy technical safeguards designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and revised through vulnerability and cybersecurity threat assessments. Incident Response and Recovery Planning : We maintain incident response and recovery plans addressing our response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. We engage in the periodic assessment and testing of our policies, standards, processes, and practices designed to address cybersecurity threats and incidents. These efforts include internal and external activities, including reviews of our information security control environment, assessments, tabletop exercises, threat modeling, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning, and information security maturity assessments. In late 2023, the Board of Directors delegated oversight of cybersecurity risks to the Audit Committee. The Audit Committee receives regular presentations and reports on cybersecurity risks, and prior to the Board s delegation, the Board periodically received such presentations and reports. Those presentations and reports have covered or will cover topics such as recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, and technological and peer company trends. The Audit Committee also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Audit Committee discusses the Company s approach to cybersecurity risk management with the members of the management team, including the CTO and the Vice President, Engineering and Security. The CTO and Vice President, Engineering and Security in coordination with our Chief Executive Officer ( CEO ), Chief Financial Officer ( CFO ), and Chief Legal Officer ( CLO ), among others, work collaboratively across functions to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. Through ongoing communication, we 37 Table of Contents monitor the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Audit Committee when appropriate. Our CTO has served in various roles in information technology and information security for over a decade, and holds a doctorate in mathematics from the London School of Economics and Political Science. The Vice President, Engineering and Security has served in various roles in information technology for over 25 years. Our CEO, CFO and CLO each hold degrees in their respective fields, and each have experience managing risks, including risks arising from cybersecurity threats. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including our business strategy, results of operations, or financial condition. Depending on their nature, cybersecurity threats in the future may materially affect our business strategy, results of operations, or financial condition. See Risk Factors in Part I, Item 1A of this report.

Company Information