COMSCORE, INC. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

COMSCORE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 16:05:17 EDT.

Filings

10-K filed on 2024-03-12

COMSCORE, INC. filed an 10-K at 2024-03-12 16:05:17 EDT
Accession Number: 0001158172-24-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain a comprehensive cybersecurity program and process for identifying, assessing and managing risks from cybersecurity threats as part of our broader risk management system. Our cybersecurity program is run by a dedicated team of cybersecurity professionals with deep expertise in incident prevention, detection and remediation, led by our Vice President, Information Security (a certified information systems security professional with a degree in computer science and more than 30 years of relevant work experience) and our Chief Information Officer (a seasoned executive with a degree in management information systems and decades of product and technology experience, including more than 20 years with the Company). The Information Security team is responsible for identifying, assessing and mitigating cybersecurity vulnerabilities, threats and risks evaluating and deploying appropriate security tools and operating a 24x7 security operations center to promptly detect, remediate and prevent security incidents. The team maintains a comprehensive incident response policy that includes prompt reporting of security incidents to a cross-functional working group (including our Chief Information Officer, General Counsel, Chief Compliance Officer and other security and privacy personnel) in order to ensure that information required to be disclosed by the Company with respect to security incidents is timely identified and reported. We have aligned our information security management system to the International Organization for Standardization (“ISO”) 27001 standard and our privacy management system to the ISO 27701 standard. An outside auditor tests the effectiveness of our security and privacy controls against the ISO 27001 and 27701 standards on an annual basis. We also undergo client security audits and cybersecurity program assessments by outside consultants, and we regularly update our program and processes to incorporate recommendations from auditors, consultants and other experts. Finally, we maintain a third-party risk management process that includes screening and evaluation by the Information Security team of service providers who will have access to our systems or confidential information, in order to identify and manage cybersecurity risks associated with our use of such providers. Our Board of Directors has an active role, as a whole and at the committee level, in overseeing management of our material risks from cybersecurity threats. The Board’s Audit Committee oversees management of financial, regulatory, compliance and security risks and receives reports at least quarterly from our Chief Information Officer regarding our cybersecurity programs, vulnerabilities, threats and risks. The full Board is regularly informed about such risks through committee reports, attendance at committee meetings and other communications. Our executive leadership team is responsible for designing and implementing our enterprise risk management program, with input from our Chief Information Officer, General Counsel and other security and privacy personnel regarding material risks from cybersecurity threats. The executive leadership team regularly discusses security threat trends incident trends, including any significant incidents that may arise risk mitigation and overall security strategy as part of our enterprise security governance process. We consult with outside counsel as appropriate, including on materiality analyses and disclosure matters, and our senior management makes the final materiality determinations and disclosure and other compliance decisions. Our management apprises our independent public accounting firm of any relevant developments. We have experienced, and may in the future experience, cybersecurity incidents. While prior incidents have not materially affected our business strategy, results of operations or financial condition to date, and although our processes are designed to help prevent, detect and mitigate the impact of such incidents, we cannot guarantee that a future security incident would not materially affect our strategy, 28 Table of Conte nt s results of operations or financial condition. For more information on our cybersecurity related risks, see Item 1A , “Risk Factors” of this 10-K.

Company Information