SOUNDHOUND AI, INC. 10-K Cybersecurity GRC - 2024-03-01

Page last updated on April 11, 2024

SOUNDHOUND AI, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-01 09:08:25 EST.

Filings

10-K filed on 2024-03-01

SOUNDHOUND AI, INC. filed an 10-K at 2024-03-01 09:08:25 EST
Accession Number: 0001840856-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity SoundHound acknowledges the increasing importance of cybersecurity in its operations and recognizes the potential risks and threats associated with cyber incidents. The Company is committed to maintaining the confidentiality, integrity, and availability of its information systems and data. However, no system can be completely immune to cyber threats. We face a number of cybersecurity risks in connection with our business. To date, such risks have not materially affected our business, including threats to and breaches of our data systems, malware and computer virus attacks. Risk Management and Strategy The following information provides an overview of our approach to managing cybersecurity risks. The Company assesses, identifies and manages cybersecurity related risks. Cybersecurity related risks are evaluated to assess top risks to the enterprise on a bi-annual basis. SoundHound has implemented a comprehensive cybersecurity program designed to identify, assess, and manage cyber risks. This program includes, but is not limited to: Regular risk assessments and vulnerability assessments. Implementation of industry-accepted cybersecurity controls and best practices. Employee training and awareness programs to enhance the company’s overall cybersecurity posture. Continuous monitoring and incident response plans to detect and mitigate potential threats promptly. We have a set of Company-wide policies and procedures concerning cybersecurity matters, such as policies related to encryption standards, antivirus protection, remote access, multi factor authentication, confidential information and the use of the internet, social media, email and wireless devices. These policies go through an annual internal review process and are approved by appropriate members of management. We have continued to expand investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level and by reviewing our operational policies and procedures. We review our operational policies and procedures with third party experts on an annual basis as part of our annual audit process. We also maintain cyber insurance coverage. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. Our Vendor Management Team conducts an annual review of third-party hosted applications with a specific focus on any sensitive data shared with third parties. The internal business owners of the hosted applications are required to document user access reviews at least annually and provide from the vendor a System and Organization Controls (SOC) 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework. SoundHound will report any cybersecurity incidents determined to be material. Material aspects of the nature, scope and timing of the incident, and the impact or reasonably likely impact of the incident on the Company, including on SoundHound s financial condition and results of operations will be disclosed. Governance The audit committee oversees risks from cybersecurity threats as part of its broader risk oversight responsibilities. The board recognizes the importance of cybersecurity in safeguarding the company s assets and operations. SoundHound has a dedicated Information Security Management committee responsible for overseeing risks from cybersecurity threats. The committee s charter outlines its specific responsibilities related to cybersecurity risk oversight, and assists senior management in fulfilling its oversight responsibilities by creating, implementing, overseeing and maintaining SoundHound s Information Security Management System. The purpose of the ISMS is to protect the Company s information systems and assets, taking into account the potential for external threats, internal threats, and threats arising from transactions with trusted third parties and vendors. The board of directors is informed of cybersecurity risks, at least annually, through established processes, including periodic briefings, reports, and updates on the evolving landscape of cybersecurity threats. Management 39 Table of Contents SoundHound designates the Information Security Management Committee as responsible for assessing and managing cybersecurity risks. Committee members possess professional experience or backgrounds presenting relevant experience or capacity to address those matters within the scope of the Committee s responsibility, including senior executives, department leaders, and subject matter experts. Committee members are familiar, or have the ability to quickly gain familiarity, with major technology platforms employed by the Company; have knowledge of technological ecosystems and challenges confronted in current or emerging business environments; have the capacity to understand new or emerging technologies and cyber security threats; are familiar, or have the ability to quickly gain familiarity, with information security principles, privacy regulations, standards, and guidelines; and possess experience relating to enterprise risk management and process. We view cybersecurity as a shared responsibility. All employees are required to complete cybersecurity training as part of onboarding, on an annual basis and have access to more frequent cybersecurity training online. We also require employees in certain roles to complete additional role-based, specialized cybersecurity training. The designated persons or committees actively monitor cybersecurity incidents through processes that monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, including continuous assessment and adaptation to emerging threats. 40 Table of Contents

Company Information