ACACIA RESEARCH CORP 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

ACACIA RESEARCH CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 17:37:00 EDT.

Filings

10-K filed on 2024-03-14

ACACIA RESEARCH CORP filed an 10-K at 2024-03-14 17:37:00 EDT
Accession Number: 0000934549-24-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have developed and implemented various processes to oversee and manage the cybersecurity risks that may impact our business and have integrated this cybersecurity risk management framework into our Company s broader risk management framework. Managing Material Risks & Integrated Overall Risk Management To manage cybersecurity risk and threats, we have developed and continuously review and update our internal risk controls ( Cyber Risk Controls ), which include administrative, physical, and technical controls and which are aligned to the CIS Critical Security Controls and the National Institute of Standards and Technology Cybersecurity Framework. The Cyber Risk Controls are in many cases integrated with our other controls, policies, procedures and programs to maximize their effectiveness. Likewise, our internal cybersecurity control group meets regularly to discuss and review identified cyber threats and risks as well as to conduct cybersecurity threat scenario planning. Identified cybersecurity risks are then further analyzed by other risk management personnel as part of our enterprise risk management process. We also have processes in place to stay informed of and monitor prevention, detection, mitigation, and remediation of cybersecurity risks, including but not limited to: employing appropriate incident prevention and detection software where appropriate employing industry-standard encryption protocols where appropriate conducting regular vulnerability scans applying patches in a timely manner conducting penetration tests and implementing recommended corrective actions in a timely manner maintaining a well-defined incident response plan and supporting procedures conducting regular phishing simulations and tabletop exercises and requiring employees to complete cybersecurity training. Engaging Third Parties on Risk Management We collaborate with vendors, service providers, assessors, auditors, consultants, and other third parties on an as-needed basis to develop secure informational and operational technology systems and protect against cybersecurity threats. For example, we engage third-party security experts to conduct risk assessments and program enhancements, including vulnerability assessments, cybersecurity tabletop exercises, and internal and external penetration tests. Managing Third-Party Cybersecurity Risk We recognize the potential cybersecurity risks associated with the use of third parties that provide services to us, process information on our behalf, or have access to our informational or operational technology systems, and we have processes in place to oversee and manage these risks. For example, we evaluate third-party service providers cybersecurity policies, procedures, and practices annually to ensure sufficiently reasonable security measures are in place. We also seek to mitigate third-party cybersecurity risk through contractual safeguards, and/or regular review of the internal control reports of such third parties, and incorporating third-party risk into our incident response plans. Material Impact from Cybersecurity Incidents While we have experienced and will continue to experience varying cyber incidents in the normal conduct of our business, thus far to our knowledge, such incidents have not materially affected, and are not reasonably likely to materially affect, the Company, including its business strategy, results of operations, or financial condition. 30 Table of Contents Governance Management Personnel Our internal cybersecurity control group has responsibility for assessing, monitoring, and managing risks related to cybersecurity threats. The control group is comprised of members of senior leadership, including in-house legal counsel, and multiple independent third-party Certified Information Systems Security Professional (CISSP) Information Technology and Cybersecurity consultants. Specifically, we have retained a Virtual Cheif Information Security Officer and other members of our cybersecurity control group, each of whom supports our cybersecurity risk management and governance practices. Such retained individuals have substantial prior work experience in various roles involving cybersecurity risk management and information technology, including security, compliance, systems and programming, and bring a wealth of expertise in their roles. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy process described above, and report to our internal cybersecurity control group and executive team on a regular basis (at least monthly). Monitor Cybersecurity Incidents Our internal cybersecurity control group meets on a monthly or more frequent basis to discuss and assess risks related to cybersecurity threats and review any reported cybersecurity incidents. The reviews include a review of the incident log, assessments of risks identified by multiple independent third parties and a review of our cyber risk as well as cybersecurity threat modeling. Identified risks related to cybersecurity threats are further analyzed as part of our enterprise risk management process. Our employees are provided with regular security policy and security awareness training including identifying potential cybersecurity incidents and reporting them to our security incident response team. Board of Directors Oversight The Audit Committee of our Board of Directors has oversight responsibility for the policies, processes and risks relating to cybersecurity. A senior member of our internal group attends all scheduled Audit Committee meetings and provides in-depth reports to the committee on cybersecurity risks and updates on the status of projects to strengthen the Company’s cybersecurity systems and improve cyber readiness. Moreover on a quarterly basis, a senior member of our internal control group reports to the Audit Committee and assists the committee with its review of relevant cybersecurity risks and evaluation and updating of our Cyber Risk Controls. Certain members of our Audit Committee have specific experience in information security and cybersecurity, and the Company has made cybersecurity training available to members of the Audit Committee.

Company Information