Certara, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Certara, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:30:38 EST.

Filings

10-K filed on 2024-02-29

Certara, Inc. filed an 10-K at 2024-02-29 16:30:38 EST
Accession Number: 0001827090-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We are committed to safeguarding our customers and the sensitive information shared in the application of software and services provided. Our cybersecurity program, risk management and governance reflect our dedication to not only meeting industry standards but exceeding them. Risk Management and Strategy We recognize that cybersecurity risks pose a significant threat to our business, customers, and stakeholders, and we have implemented a comprehensive security and privacy program to address these risks. We embed security considerations into every aspect of our operations, and our focus encompasses a proactive approach that involves continuous monitoring to swiftly detect and respond to emerging threats to ensure that our customers’ information remains secure in the face of evolving cybersecurity challenges. With a foundation grounded in industry best practices, including NIST 800-53, ISO 27001, CIS Top 20, OWASP Top 10, and Security by 47 T able of Contents Design, we prioritize the identification and assessment of risks to create a protective shield around our customers’ data. This foundation guides our processes for assessing, identifying, and managing risks related to cybersecurity threats and incidents, as well as ensuring compliance with legal and contractual obligations. Our risk management processes are integrated into our overall business strategy and operations. We use various methods and tools to identify and assess cybersecurity risks across all assets in our technical landscape, such as vulnerability scanning, penetration testing, threat intelligence, risk assessments, and audits from customers. We also use third-party assessors and service providers, consultants, and auditors, to support our risk management processes and to provide independent validation and verification of our security posture. We have established processes to oversee and identify risks associated with our use of third-party assessors and service providers, such as due diligence, contractual obligations, monitoring and vendor evaluation and qualification. We maintain robust cybersecurity incident response procedures, which includes escalating incidents to the appropriate level of management, mitigation, remediation and the assessment of materiality of cybersecurity incidents, or a series of related incidents, that may materially affect or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. We also disclose information regarding our security and privacy program and practices on our website and in our public-facing notices. Furthermore, we conduct annual cybersecurity awareness training for our employees in order to provide them with the knowledge necessary to navigate the digital landscape securely. We understand that cybersecurity is not a static concept but a dynamic discipline, and our security and privacy program reflects this by incorporating internal and third-party audits, penetration testing, active vulnerability scanning and a continuous improvement mindset. As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity incidents, or a series of related incidents, that have had or are reasonably likely to have a material impact on the Company s business strategy, results of operations or financial condition. For more information on our cybersecurity related risks, see Part 1, Item 1A. Risk Factors entitled Risks Related to Intellectual Property, Information Technology and Data Privacy included elsewhere in this Annual Report on Form 10-K. Governance We have established a corporate governance structure that provides oversight and guidance for our security and privacy program. The Board of Directors (the Board ) is ultimately responsible for the oversight of the Company s security and privacy program. The Audit Committee, which supports the Board in the oversight of the program, is focused on cybersecurity and data privacy risk, including incident response planning, timely identification and assessment of incidents, incident recovery and business continuity considerations. We have defined roles and responsibilities for the management of cybersecurity risks, including specific executive-level and management-level positions or committees. Our security and privacy program is overseen by our Security and Privacy Program Office ( SPPO ), which is composed of corporate leadership from legal and IT. The SPPO is accountable to the VP of Information Technology, who is the accountable executive for the program. Our function and business unit executive leadership, acting in support of the SPPO and the Board, is responsible for ensuring organizational compliance with data protection regulations and controls across the organization. Our VP of Information Technology and Director, Compliance Standards & Data Privacy (“DCSDP”), are responsible for the design, implementation, and monitoring of the security and privacy policies, standards, procedures, and controls that govern our information systems and data processing activities. Our VP of Information Technology, has 30 years of experience in IT infrastructure, cybersecurity operations, and site reliability engineering for a wide range of software and service organizations, with the last 15 years focused on SaaS software businesses with access to sensitive customer data. The DCSDP also has 30 years in IT with the last 12 focused on compliance and data privacy issues for Certara. 48 T able of Contents The VP of Information Technology and DCSDP also have a reporting responsibility to the General Counsel, and the Board via the Audit Committee. They coordinate the response and remediation of cybersecurity incidents and data breaches and report on the status and effectiveness of the security and privacy program to the SPPO, the Board, the Audit Committee, and other stakeholders on a quarterly basis, or more frequently as needed. We have established processes to ensure that management is informed about and monitors cybersecurity incident prevention, detection, mitigation, and remediation. These processes include regular reporting, escalation, and communication protocols, as well as periodic reviews and audits of the security and privacy program.

Company Information