AdTheorent Holding Company, Inc. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

AdTheorent Holding Company, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 17:20:35 EDT.

Filings

10-K filed on 2024-03-12

AdTheorent Holding Company, Inc. filed an 10-K at 2024-03-12 17:20:35 EDT
Accession Number: 0000950170-24-030136

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We operate in the advertising technology sector, which is subject to various cybersecurity threats and risks that could adversely affect our business, financial condition, and results of operations, including unauthorized access to, disclosure, modification, misuse, loss, or destruction of company, customer, or other third-party data or systems theft of sensitive, regulated, or confidential data including personal information and intellectual property the loss of access to critical data or systems through ransomware, destructive attacks or other means business delays, service or system disruptions or denials of service violation of privacy laws and other litigation and legal risk and reputational risk. We have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. Our cybersecurity program is in alignment with a combination of industry standards and best practices, such as ISO 27001, Center of Internet Security ( CIS ) for our information systems, and the Open Web Application Security Project ( OWASP ) Top 10 for our website and mobile applications. We conduct regular internal and annual external penetration testing of our cloud 40 hosting environment to identify our top information security risks. In addition, we perform ad hoc risk assessments to identify the potential impact and likelihood of various cyber scenarios and to determine appropriate mitigation strategies and controls. We have an information security on-boarding and off-boarding process to oversee and identify information security related risks from cybersecurity threats associated with the use of any third-party service providers and vendors. This process includes the completion of information security vendor questionnaires before on-boarding. Our information security department reviews these questionnaires to ensure that any third-party company that will host our non-public data has an information security program whose strength level is at least materially equivalent to our information security program. We use various tools and methodologies to manage cybersecurity risk, including the implementation of a business continuity process that includes a comprehensive Information Security Incident Response Plan ( InfoSec IR Plan ) that is tested on a regular basis. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through cybersecurity awareness training to equip employees to avoid falling victim to phishing attempts, and we enforce strong password requirements and use multi-factor authentication. We conduct regular vulnerability scans, penetration tests, utilize threat intelligence feeds , and conduct external annual penetration testing by an independent third party. To the best of our knowledge, cybersecurity risks and threats have not materially impacted our business to date. However, it is possible that these risks and threats could materially impact our business in the future. Our business depends on the availability, reliability, and security of our information systems, networks, data, proprietary business information and intellectual property. Any disruption, compromise, or breach of our systems or data due to a cybersecurity threat or incident could disrupt our operations, cause customers to lose trust and confidence in us and stop using our products, website and mobile applications, adversely affect our product development and competitive position, and could also result in a breach of our contractual obligations or legal duties to protect the privacy and confidentiality of our stakeholders and other third parties. Such a breach could expose us to business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation, regulatory scrutiny and actions, reputational harm, customer dissatisfaction, harm to our vendor relationships, or loss of market share. The advertising technology sector may be especially vulnerable to these risks due to our industry s reliance on personal information and the evolving privacy regulatory environment described under the caption Risks Related to Data Privacy in Item 1.A above. Our Board exercises its oversight role through the Board s audit committee, which in the event of a cybersecurity incident or material new risk arising from a cybersecurity threat would provide the Board with reports and findings discussed with our Chief Technology Officer ( CTO ) and/or our Chief Information Security Officer ( CISO ). Our audit committee members have varying levels of information security backgrounds ranging from direct cybersecurity experience with extensive involvement in data protection and cybersecurity compliance, policies, and governance, to broader experience being responsible for corporate risk management, including information security and the development of cyber incident reporting under the Critical Infrastructure Act. As part of their role on the audit committee, audit committee members stay current with information security trends and considerations for addressing cybersecurity risk and governance. Our Executive Information Security Risk Management Committee ( ISRM Committee ) consists of our CISO, CEO, Chief Financial Officer ( CFO ), CTO, as well as representatives from the client services and yield teams. The primary purpose of the ISRM Committee is to act on behalf of our executive management in fulfilling the oversight responsibilities with regards to the identification, analysis, and mitigation of all internal and external operational and strategic information security risks. The ISRM Committee is also responsible for the effective administration and adherence to our information security program, policy, standards, and guidelines. In the quarterly ISRM Committee meetings, our CISO provides updates on current information security trends and risks in the industry and covers how we, as a company, analyze these trends, and how we mitigate identified information security risks. The ISRM Committee also reviews the status of our phishing testing results and considers additional information security awareness and training measures, so we can minimize phishing risks and other human-related risks. The ISRM Committee has two working groups: Information Security Operational Risk Management ( ORM ), and Information Security Incident Response ( IR ). The Information Security ORM working group meets quarterly to collect information security operational risks from our technical, product, and data science team, and reports material risks to the ISRM Committee. The IR working group has core and support teams. Members of this working group review all changes to the InfoSec IR Plan and periodically test the InfoSec IR Plan by participating in information security incident response tabletop exercises. The ISRM Committee reviews all information security risks company-wide reported by both working groups and selects top risks that will be covered and translated into the information security projects for the incoming quarter. The ISRM Committee also reviews and approves our cybersecurity policy, standards, and guidelines annually, and prioritizes information 41 security related projects to mitigate our top information security risks on a quarterly basis. The ISRM Committee is also responsible for the review and approval of all changes of InfoSec IR Plan. Our CISO holds master’s degrees in both computer science and technology and business management. He also holds Certified Information Security Professional ( CISSP ) and Certified Information Security Manager ( CISM ) certifications and has over 20 years of experience in cybersecurity at a Fortune 100 company, the largest private bank in the U.S. as well as top research universities in the U.S. Our CEO is the liaison between the ISRM Committee and the Board and is responsible for communication between the two groups. Our CTO holds a bachelor’s degree in technology and over 25 years of experience in application development and technology management. This experience includes 12 years of application management at a Fortune 50 financial services company. The IR support team is responsible for the monitoring, prevention, and timely detection, confirmation, mitigation and remediation of information security incidents. After the discovery and confirmation of an incident, the IR core team evaluates materiality, which includes business impact analyses, consideration of the nature, scope, and timing of the incident, and an assessment of whether it is at least reasonably likely the incident will have a material impact on our operations and/or consolidated financial statements. In the case of the discovery of a material incident, we have a third-party under retainer to assist with incident containment and response. The third-party company provides forensic and investigation assistance to our incident response team, as needed. Our CISO provides the state-of-the-information security program to the Board annually and as needed. Also, our CISO and CFO meet with the chairman of the Audit Committee on an as-needed basis for a comprehensive analysis of the material risks in information security.

Company Information