PubMatic, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

PubMatic, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:10:25 EST.

Filings

10-K filed on 2024-02-28

PubMatic, Inc. filed an 10-K at 2024-02-28 16:10:25 EST
Accession Number: 0001422930-24-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We recognize the importance of maintaining the trust and confidence of our publishers, buyers, partners, customers, and employees. The Audit Committee of our Board ( Audit Committee ) is responsible for oversight of the Company s cybersecurity function and efforts, and receives quarterly updates from management regarding the Company s cybersecurity policies, standards, processes, and practices. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Our cybersecurity risk management program is overseen by our Senior Vice President, Infrastructure and Security ( SVP Security ), our executive management team, and our Board through the Audit Committee. Risk Management and Strategy We maintain a cross-functional cybersecurity program to identify, prevent, and mitigate cybersecurity threats and incidents. The program also includes implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Policies and Framework Our cybersecurity efforts are governed by a set of policies to address data protection and security incident management, and overseen by our Security Incident Management Team ( SIMT ). Our policies are closely based on recognized frameworks established by the National Institute of Standards and Technology ( NIST ), the International Organization for Standardization ( ISO ) and other applicable industry standards, and we expect to review them at least annually. Our information technology standards and infrastructure safeguards include information security standards prescribed for use by NIST, security measures aligned with the ISO/IEC 27000 series of standards, the Sarbanes-Oxley Act and SSAE 18/ISAE 3402, privacy regulations compliance, and other generally recognized industry standards, in each case, designed to safeguard the confidentiality, integrity and availability of our infrastructure and data and the resiliency of our operations. 40 Table of Contents In connection with these policies, we deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We also maintain a risk-based approach to identify and oversee cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Incident Response and Recovery Planning We have established and maintain incident response and recovery plans and procedures that address our response to a known or potential cybersecurity incident, including in our systems and those that occur on third-party systems that we use. These plans and procedures include the notification and escalation processes, the investigation and containment process, the evaluation, review, and remediation process for a known or potential cybersecurity incident, and a process to assess the materiality of an incident. Our incident response and recovery planning are overseen by the SIMT and Company personnel who become aware of an incident or potential incident are required to notify the SIMT. The SIMT is comprised of senior members of management and subject matter experts and is responsible for overseeing our cybersecurity program and our response to any cybersecurity incidents. Periodic Review, Testing and Training In accordance with our policies, we perform periodic assessments and tests of the application of our policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents. These efforts include a range of activities, including internal audits, assessments, threat modeling, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We engage third parties to perform assessments on our cybersecurity measures as a component of our SOX compliance program. We also provide regular, mandatory training for employees and contractors regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats, including the detection and prevention of phishing and other attacks using social engineering, and to communicate our evolving information security policies, standards, processes, and practices. Governance The Board, in coordination with the Audit Committee, oversees our overall enterprise risk management ( ERM ) process, including the management of risks arising from cybersecurity threats and information security. The Audit Committee receives regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, the threat environment, technological trends, and information security considerations arising with respect to our peers and third parties. Beginning in 2024, the Audit Committee will be provided updates on our process, procedures, policies and any cybersecurity incidents at least quarterly. In the event of a material incident, or incident that may be determined to be material, the Audit Committee is informed as soon as reasonably practical and provided regular updates by the SIMT. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Board and the Audit Committee will have the opportunity to discuss our approach to cybersecurity risk management with the SIMT. Our SIMT is responsible for preventing, detecting and responding to cybersecurity threats and incidents to the Company, and includes our Chief Executive Officer ( CEO ), SVP Security, Chief Financial Officer ( CFO ), Chief Marketing Officer, Chief Technology Officer ( CTO ), General Counsel, and other subject matter experts. The SIMT works collaboratively across the Company to implement a program designed to protect our information systems and offerings from cybersecurity threats and to promptly identify and respond to any cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the SVP, Security and the SIMT monitor the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents, and report such threats and incidents to our Board and Audit Committee when appropriate. The SIMT, together with other internal and external advisors, has developed a Security Incident Management Policy ( Security Policy ) and Cybersecurity Incident Management Process ( CIM Process ) to help guide our response to any potential cybersecurity incidents or threats. These documents are reviewed on a periodic basis by the SIMT, and the Audit Committee will be apprised of the SIMT s actions and potential improvements to the Security Policy and CIM process. 41 Table of Contents Our SVP Security has a strong background in engineering with over 30 years of industry experience in technology and security, and previously operated one of the world s largest retail websites instituting and undergoing PCI and HIPPA certifications. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition. Cybersecurity threats, and their evolving nature, may pose a risk to us and our strategy, results of operations, and financial condition in the future.

Company Information