Emerald Holding, Inc. 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

Emerald Holding, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 18:05:30 EST.

Filings

10-K filed on 2024-03-04

Emerald Holding, Inc. filed an 10-K at 2024-03-04 18:05:30 EST
Accession Number: 0000950170-24-025067

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyb ersecurity. Cybersecurity Risk Management and Strategy Cybersecurity is an important part of our overall risk management systems and processes and an area of focus for our Board and management. We have developed and implemented an enterprise-wide information security program designed to identify, protect, detect, and respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity and privacy threats, we use various security tools that help prevent, identify, escalate, investigate, resolve, and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools; an internal continuous pen testing program; and a third-party pen testing program to allow security researchers to assist us in identifying vulnerabilities in our products before they are exploited by malicious threat actors. We also maintain a third-party security program to identify, prioritize, assess, mitigate, and remediate third party risks; however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. Emerald’s third-party security program is designed to mitigate cybersecurity risks associated with external service providers. This program includes conducting rigorous security assessments of potential third-party partners before onboarding, ensuring they meet our high standards for cybersecurity. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use widely adopted risk quantification models including those described in National Institute of Standards and Technology (NIST) special publications as well as the FAIR Institute s Factor Analysis of Information Risk (FAIR) methodology for Quantifying and Managing Risk to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, red team exercises, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We also engage an external firm to assist in our annual Payment Card Industry Data Security Standard (PCI DSS) self-attestation of compliance, as well as third-party penetration testing of our cardholder environment and related systems. We continuously enhance our cybersecurity measures by providing ongoing training for our employees, including simulated phishing exercises, to ensure they are fully prepared to address potential threats. The results of these assessments are reported to the Audit Committee as discussed below under –Cybersecurity Governance. 24 In the last ten years, we have not experienced any material cybersecurity incidents, and expenses incurred from cybersecurity incidents were immaterial. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, refer to Item 1A. Risk Factors We face continually evolving cybersecurity and similar risks, which could result in loss, disclosure, theft, destruction or misappropriation of, or access to, our confidential information and cause disruption to our business, damage to our brands and reputation, legal exposure and financial losses, which is incorporated by reference into this Item 1C. Cybersecurity Governance The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. Specifically, our Audit Committee is responsible for the oversight of risks from cybersecurity threats and receives regular updates from senior management including our Chief Information Officer and Director of Cyber Security, on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. Our cybersecurity protocol requires that the Chair of the Audit Committee and senior management be immediately notified upon any cybersecurity incident. Our Chief Information Officer, who has over 20 years of experience in the cybersecurity and information security space, leads our global information security team responsible for overseeing the Emerald information security program. We also have a Director of Cyber Security who brings 24 years of experience in the information technology field, including 15 years of direct experience in cybersecurity. In addition, the team members who support our information security program have relevant educational and industry experience, including holding similar positions at large technology companies. This team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. The teams provide regular reports to senior management and other relevant teams on various cybersecurity threats, assessments, and findings.
Item 1C. Cybersecurity Governance The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. Specifically, our Audit Committee is responsible for the oversight of risks from cybersecurity threats and receives regular updates from senior management including our Chief Information Officer and Director of Cyber Security, on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. Our cybersecurity protocol requires that the Chair of the Audit Committee and senior management be immediately notified upon any cybersecurity incident. Our Chief Information Officer, who has over 20 years of experience in the cybersecurity and information security space, leads our global information security team responsible for overseeing the Emerald information security program. We also have a Director of Cyber Security who brings 24 years of experience in the information technology field, including 15 years of direct experience in cybersecurity. In addition, the team members who support our information security program have relevant educational and industry experience, including holding similar positions at large technology companies. This team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. The teams provide regular reports to senior management and other relevant teams on various cybersecurity threats, assessments, and findings.

Company Information