Grindr Inc. 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

Grindr Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 16:49:15 EDT.

Filings

10-K filed on 2024-03-11

Grindr Inc. filed an 10-K at 2024-03-11 16:49:15 EDT
Accession Number: 0001820144-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We rely on information technology and data to operate our business and develop, market and deliver our services to our customers. Our information technology includes various cloud computing resources, computer networks, third party hosted services, communications systems, software, and our data (which includes confidential, personal, proprietary and sensitive data) (collectively Information Assets ). We maintain certain risk assessment processes intended to identify cybersecurity threats, determine their likelihood of occurring, and assess potential material impact to our business. We rely on a multidisciplinary team (including information security stakeholders and management, as described further below in Cybersecurity Governance ) to help assess how cybersecurity threats to our Information Assets could impact our business. We seek to assess the likelihood that such threats could result in a material impact to our Information Assets, operations, ability to provide our services, our core business functions, personnel, reputation, and identified critical business objectives. We identify, assess, and manage our cybersecurity threats and risks by, among other things, ongoing threat modeling discussions of certain of our applications and infrastructure, reviewing certain weekly security bulletins, monitoring the threat environment using manual and automated tools in certain environments and systems, subscribing to reports and services that identify certain cybersecurity threats, analyzing reports of certain threats and actors, scans of certain threat environment, evaluating our industry s risk profile, evaluating threats reported to us from our public-facing bug bounty program, conducting threat assessments for certain internal and external threats, and conducting vulnerability assessments in some environments and systems aimed at identifying vulnerabilities. Based on our assessment process, we implement and maintain various technical, physical and organizational measures, processes, standards, and policies designed to manage and mitigate such risks and potential material impacts to our Information Assets. The various risk management and reduction measures we implement for certain areas of our environment and systems include: maintaining policies and procedures designed to address cybersecurity threats, including an incident response plan, vulnerability management policy, and disaster recovery/business continuity plans conducting internal and external audits designed to assess our exposure to certain cybersecurity threats, compliance with internal risk mitigation procedures, and effectiveness of relevant controls conducting background checks on certain of our and our third parties personnel adopting network security controls in certain environments and systems segregating certain data adopting physical and electronic access controls and asset management procedures monitoring certain systems implementing a vendor risk management program training employees on security conducting red/blue team exercises maintaining cyber insurance maintaining a dedicated information security staff and using a third-party managed security operations center. We seek to prioritize our efforts based on the threats that are more likely to lead to a material impact to our business, such as exposure of customer data, interruption of services, ransomware, intrusion of networks, and data exfiltration or exposure. 43 Table of Contents Risk from cybersecurity threats are among those that we address in the Company s general risk management program. For example, cybersecurity risk is addressed as a component of the Company s enterprise risk management program, and the security department works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. To operate our business, we rely on third party service providers to perform a variety of functions, such as SaaS platforms, managed services, property management, cloud-based infrastructure, content delivery to customers, encryption and authentication technology, and corporate productivity services. We have a vendor management program designed to help manage cybersecurity risks associated with our use of these providers. The program includes risk assessments for certain vendors security questionnaires for certain vendors review of certain vendor’s written security program and security assessments and imposition of information security contractual obligations on the vendor. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and contractually impose obligations onto them related to the services they provide and/or the information they process. For service providers that provide particularly critical services to us or process particularly sensitive information for us, we follow our third party vendor review processes involving stakeholders throughout the company. This includes multiple levels of due diligence prior to an engagement to assess what, if any, user data or confidential information the vendor may receive access to, what controls should be implemented around such access, and validating that the contractual rights and obligations conform to our policies and practices. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the section titled Risk Factors Risks Relating to our Business Security breaches, unauthorized access to or disclosure of our data or user data, other hacking and phishing attacks on our systems or those of third parties upon which we rely, or other data security incidents could compromise sensitive information related to our business or users processed by us or on our behalf and expose us to liability, which could harm our reputation, generate negative publicity, and materially and adversely affect our business. Governance Our Board of Directors oversees the Company s risk management strategy with respect to cybersecurity threats as part of its general oversight function. The Board of Directors audit committee is responsible for overseeing the Company s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk management strategy relies on input from certain members of management, including our Senior Vice President of Engineering and Chief Information Security Officer (reporting to our Chief Executive Officer) in consultation with our General Counsel and Head of Global Affairs (reporting to our Chief Executive Officer), our Chief Privacy Officer (reporting to our General Counsel) and input from various leaders who participate in our Privacy and Security Council. This team helps us understand cybersecurity threats and risks, establish priorities, and determine the scope, elements, and implementation of a cybersecurity program. The team is also responsible for integrating cybersecurity considerations into our overall risk management strategy, and for communicating key priorities to employees. Every quarter, the Privacy and Security Council meets to discuss certain cybersecurity risks and upcoming changes to our legal obligations that may affect our cybersecurity program, and to review our cybersecurity program. Our cybersecurity team is responsible for preparing for any cybersecurity incidents, responding to any cybersecurity incidents, approving cybersecurity policies and procedures, and reviewing cybersecurity-related audit reports. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our SVP Engineering and Chief Information Security Officer, General Counsel and Head of Global Affairs, and Chief Privacy Officer, as appropriate. In addition, our incident response plan includes reporting to the Audit Committee of the Board of Directors for certain cybersecurity incidents. The Board of Directors, through its Audit Committee, holds at least quarterly meetings to discuss the matters within the Audit Committee s scope, including to review and discuss our cybersecurity threat management. The Audit Committee oversees matters related to cybersecurity threats and hears reports from our SVP Engineering and Chief Information Security Officer about our guidelines, policies, and practices regarding cybersecurity risks as well as any updates of certain cybersecurity threats faced by us and steps we are taking to address them. The Audit Committee also receives various reports, summaries or presentations related to cybersecurity threats risk and mitigation. 44 Table of Contents

Company Information