FiscalNote Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

FiscalNote Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 21:04:57 EDT.

Filings

10-K filed on 2024-03-14

FiscalNote Holdings, Inc. filed an 10-K at 2024-03-14 21:04:57 EDT
Accession Number: 0000950170-24-031826

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a company, we devote significant resources to cybersecurity and risk management processes in order to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our cybersecurity risk management program is led primarily by our Vice President - Cybersecurity & DevOps, who has over 15 years experience in cybersecurity, information technology, and related compliance and holds a Certified Information Systems Security Professional certification. The information security team works cross-functionally, with significant involvement from other members of senior management and oversight by the Board. The information security team is responsible for, among other matters: designing, implementing and periodically assessing our cybersecurity safeguards and related policies and procedures, including those pertaining to encryption standards, antivirus protection, remote access, multi-factor authentication, data classification, device management, and the use of the internet, social media, email and wireless devices monitoring current and emerging cybersecurity threats to which the business may become exposed and providing oversight of risks of cybersecurity threats associated with our use of third-party service providers, including reviewing such engagements when proposed in order to identify and assess risks potentially arising therefrom. In addition, the information security team is responsible for obtaining and maintaining Service Organization Control Type 2 (“SOC-2”) certification for the Company s product portfolio. The Company has obtained SOC-2 certification for many of its products, which subjects those products to an annual compliance audit conducted by a third party, and we work to include progressively more products within the scope of the audit year over year. 37 We view cybersecurity as a shared responsibility throughout the Company. At a management level, we periodically perform tabletop exercises incorporating external resources, advisors and relevant members of the Board as needed. The Company requires all employees to participate in an annual cybersecurity training reviewed by the information security function, and management regularly communicates with employees about potential cybersecurity risks and methods for reporting incidents. The Company has adopted and maintains an Incident Response Plan, which provides for various methods of reporting and escalation of incidents, activation of an incident response team consisting of relevant cross-functional leaders (e.g., legal, information security, operations), assessment of the severity of incidents, processes for investigating and remediating incidents and compliance with related legal and regulatory obligations, among other matters. The Incident Response Plan provides for the involvement of the Company s Disclosure Review Committee to assess the materiality of cybersecurity incidents and any disclosure obligations required in respect thereof. Management periodically reviews the Company s cybersecurity risk management strategy and processes - including the Incident Response Plan - to assess their efficacy in light of current and emerging threats. The Company s Board, which is responsible for oversight of risk management related to our business as a whole, has delegated responsibility to the Audit Committee for oversight of the Enterprise Risk Management ( ERM ) program and cybersecurity risk, among other matters. Cybersecurity risk is among the risks monitored by the ERM program, which establishes an annual cadence for identifying material risks facing the Company, as well as quarterly reporting to the Audit Committee on the severity of each such risk and mitigation measures being implemented. The Audit Committee also receives an annual update from the information security function on the Company’s current cybersecurity risks, recent enhancements to the Company s safeguards and related policies. The Company s Incident Response Plan provides for notification of and consultation with the Audit Committee in the event of a cybersecurity incident exceeding specified levels of severity. We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to, and breaches of, our data and systems, including malware and computer virus attacks. For more information about the cybersecurity risks we face, see the risk factor entitled, Cyberattacks, security, privacy, or data breaches or other security incidents that affect our networks or systems, or those of our service providers, involving our or our customers sensitive, personal, classified or confidential information could expose us to liability under various laws and regulations across jurisdictions, decrease trust in us and our products and services, increase the risk of litigation and governmental investigation, and harm to our reputation, business, and financial condition in Item 1A- Risk Factors - Information Technology and Data Risks .

Company Information