Getty Images Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Getty Images Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 07:43:01 EDT.

Filings

10-K filed on 2024-03-15

Getty Images Holdings, Inc. filed an 10-K at 2024-03-15 07:43:01 EDT
Accession Number: 0001628280-24-011316

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company s management is responsible for the day-to-day management of risk, and our board of directors, including through its committees, is responsible for understanding and overseeing the various risks facing the Company. Cybersecurity Risk Management and Strategy Increased global cybersecurity vulnerabilities, threats and more sophisticated and targeted cyber-related attacks pose an ongoing risk to the security of our information systems and networks. Getty Images seeks to manage cybersecurity risks consistent with its general approach to enterprise risk management. Getty Images engages third parties to conduct assessments to help it identify, categorize and manage cyber risks and to confirm compliance with applicable legal and regulatory requirements. Additionally, management and third parties conduct ongoing vulnerability scanning and performs penetration testing from time to time to help Getty Images identify and reduce the threat of known and emerging cybersecurity risks. Board Oversight and Governance Getty Images board of directors has delegated the oversight of cybersecurity risks to the Audit Committee. The Audit Committee assists Getty Images board of directors in its oversight of the policies and practices used by Getty Images to identify, assess and manage key risks facing Getty Images, including cybersecurity risks. Members of management, including the Company s Chief Technology Officer ( CTO ), provide the Audit Committee with updates on cybersecurity and information technology matters. In turn, the Audit Committee and management also provide updates to Getty Images board of directors. In addition to reporting to the Audit Committee and Getty Images board of directors, the CTO provides periodic reports to our Chief Executive Officer and other members of our senior management as appropriate. The Audit Committee, or Getty Images board of directors, is notified of cybersecurity incidents, as appropriate, in accordance with the Company s incident response processes. Cybersecurity Oversight 41 Table of Cont e n t Management plays an important role in assessing and managing Getty Images material risks from cybersecurity threats. The CTO is responsible for oversight of the design and implementation of the security program and strategy. Getty Images current CTO has served in various roles in technology for over 25 years, and has had had oversight of information technology and information security for both Getty Images (6+ years) and other organizations. At the employee level, we maintain an experienced information technology team who is tasked with implementing our privacy and cybersecurity program and support the CTO in carrying out reporting, security, and mitigation functions. As part of the Getty Images cybersecurity program, cross-functional teams throughout the Company address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications with these teams, the CTO and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and escalate such threats and incidents as appropriate through the processes described in more detail below. Management s cybersecurity risk management strategy and processes focus on several key areas, including: Incident Response Planning : Getty Images has a global Information Security Incident Response Plan (the Plan ) for identifying and managing cyber and data security threats. The Plan defines the roles and responsibilities of Company stakeholders involved in responding to cyber and data security events, severity levels and incident categories, and it outlines a process for incident management, including escalation and communication procedures. A cross-functional working group of security, privacy, and legal personnel review significant incidents to determine if further escalation is appropriate. If an incident could be deemed material, it is escalated to the CTO and other members of the executive team, and we consult with outside counsel during this assessment as appropriate. Technical Safeguards : Getty Images seeks to continuously improve technical safeguards that are designed to protect its information systems. Standards include controls for identity and access management, cyber threat and incident management, data security, encryption, human resource security, network and device security, secure asset management, secure system development, security operations and third-party security. While Getty Images seeks to maintain adequate cybersecurity controls, it may not always be effective. See Item 1A. Risk Factors Our failure to protect the proprietary information of our customers and our networks against cyberattacks, security breaches or unauthorized access could adversely affect our business and results of operations, damage our reputation and expose us to liability and We collect, store, process, transmit and use personal information, which subjects us to governmental regulation and other legal obligations in many jurisdictions related to privacy, information security and data protection for more information as well as related risks. Education and Awareness : We require annual employee trainings on privacy and cybersecurity, records and information management, and generally seek to promote awareness of cybersecurity risk through communication and education of our employee population. Third-Party Risk Management : We rely on certain third-party computer systems and third-party service providers in connection with providing some of our services. We also depend upon various third parties to process payments for our transactions around the world. These third-party business partners, service providers, and consultants need to access our customer and other data and in some cases connect to our computer networks. We define expected security and privacy requirements through our contracting processes with third parties and we perform third-party cyber risk assessments to monitor the cyber risk management efforts of third parties as needed. Threat Intelligence : Our security teams engage in threat intelligence, predictive modeling, and penetration testing to understand the Company’s threat landscape and reduce the risk and impact of cybersecurity incidents. Material Effects of Cybersecurity Incidents As of the date of this Annual Report, we have experienced cybersecurity incidents and threats, including malware, phishing, partner and customer account takeover attacks, and denial-of-service attacks on our systems. We do not believe these cybersecurity incidents have materially affected our business strategy, results of operations, or financial condition. However, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. To learn more about risks from cybersecurity threats, review the risk factors included in Item 1A. Risk Factors in this Annual Report, as updated by Getty Images subsequent SEC filings. The risks described in such filings are not the only risks facing Getty Images. Additional risks and uncertainties not currently known or that may currently be deemed to be immaterial may materially adversely affect Getty Images business, financial condition, or results of operations. 42 Table of Cont e n t

Company Information