Digimarc CORP 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Digimarc CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:35:52 EST.

Filings

10-K filed on 2024-02-29

Digimarc CORP filed an 10-K at 2024-02-29 16:35:52 EST
Accession Number: 0001437749-24-006115

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY Cybersecurity risk management is a critical component of our overall risk management program. We have implemented robust information security processes for assessing, identifying, and managing material risks from cybersecurity breaches that could adversely affect our business, financial condition and reputation. Although we have implemented measures to safeguard against cybersecurity risks, there is no assurance that these measures will prevent all incidents or fully mitigate their impact. We continuously work to enhance our information security processes and risk management program. Our cybersecurity risk management program is led by our Senior Director of Information Security with direction and oversight from the Company s executive management team. The Senior Director of Information Security and the Company s executive leaders directly involved have extensive experience in information security, risk management, and technology, and a track record of successful leadership in areas relevant to cybersecurity. On a regular basis, we conduct thorough cybersecurity risk assessments that encompass both financial and non-financial risks, to identify vulnerabilities within our information systems. We also engage third-party experts and consultants to assist with cybersecurity risk assessments and to perform black box and white box penetration testing. We have implemented continuous enterprise-wide monitoring tools to detect and assess cybersecurity threats. In addition, we maintain and practice our incident response plans to facilitate timely identification and reporting of cybersecurity events. Aligned with our broader risk management framework, our materiality assessment criteria are determined based on a comprehensive review of potential cybersecurity impacts on our operations, financials and reputation. Our risk mitigation strategies include a broad variety of technical and operational measures, including, but not limited to, cross-functional collaboration among the information security, legal and risk management and operational teams, and Company-wide training on cybersecurity and privacy. We conduct regular and ongoing information security training and maintain a compliance program, which includes live and virtual training and periodic testing to ensure compliance with corporate standards and procedures. New employees must acknowledge that they have completed all the information security training and adhere to standards and procedures upon hire. All other employees acknowledge completion of this training annually. In 2023, the Company achieved SOC 2 (System and Organization Controls 2) Type II certification ( SOC 2 ) for its product digitization platform. An independent auditor provided this certification after conducting a comprehensive audit, confirming that from August 15, 2022, to February 15, 2023, our information security controls were well-designed and worked effectively. The Company is working diligently to continue to maintain compliance with SOC 2. Our Board of Directors plays a vital role in overseeing the Company s enterprise risk management program and has delegated cybersecurity risk management to the Audit Committee of the Board of Directors. The Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which the Company is exposed, and to implement processes to manage cybersecurity risks and mitigate cybersecurity incidents. Our Senior Director of Information Security provides semi-annual updates to the Audit Committee, although all of the members of our Board of Directors are invited to attend the Audit Committee meetings at which these updates are provided, on the current cybersecurity threat landscape, emerging risks, remediation plans, and the effectiveness of related internal controls. When applicable, additional cybersecurity updates are provided to our Audit Committee in interim periods in the event of a significant cybersecurity threat. The Audit Committee regularly engages in risk assessments specifically focused on cybersecurity, considering potential impacts on operations, financial results, and reputation, and periodically reviews cybersecurity policies and procedures to ensure they align with best practices and evolving cyber threats. In addition, the Audit Committee participates in the allocation of resources for cybersecurity initiatives, ensuring that investments align with the Company s risk appetite and strategic objectives. The Audit Committee is also briefed on the Company s crisis management and incident response plans, ensuring preparedness for potential cybersecurity incidents. The full Board of Directors participates with management in security tabletop exercises to test our incident response plans. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, Risk Factors in this Annual Report on Form 10-K.

Company Information