MOBIVITY HOLDINGS CORP. 10-K Cybersecurity GRC - 2024-04-16

Page last updated on July 16, 2024

MOBIVITY HOLDINGS CORP. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-16 21:59:39 EDT.


10-K filed on 2024-04-16

MOBIVITY HOLDINGS CORP. filed a 10-K at 2024-04-16 21:59:39 EDT
Accession Number: 0001493152-24-014966

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Over the past year, our team has implemented, optimized, and matured our cybersecurity practices, aiming to meet all major industry benchmarks. Our goal is to safeguard our information systems and protect the confidentiality, integrity, and availability of both our and our customers’ data. This includes measures related to cybersecurity incidents, risk management, management roles, and governance. 1) Cybersecurity incidents: Our public-facing website complies with WCAG 2.2 level AA standards for accessibility. We manage various databases, including those on Amazon and Google Clouds, each with three sets of development, testing, and production environments. Our main data warehousing solutions is Amazon Redshift, complemented by Amazon S3 for object storage. a) To prevent unauthorized access, we have established a series of security gates across all production environments and instances b) Only two individuals have update access to production database instances, and a limited number of individuals have read-only access to personally identifiable information (PII) data c) In our cloud environments, 2-3 members of our Platform Engineering team have access to production and test instances, and logs are generated for any changes made 2) Risk Management: We maintain multiple AWS and Google Cloud environments, each with three sets of development, testing, and production environments. Our primary data warehousing solution is Amazon Redshift, while we use Amazon S3 Glacier for archival storage and Amazon S3 for object storage. We also employ Amazon Sagemaker for machine learning tasks and internally host Apache Superset on the AWS platform for data visualization. a) All environments are isolated using credentials and accounts b) We are following a plan to ensure scheduled patching, upgrades, and other maintenance occur every quarter. This includes updates for SQL databases and cloud instances c) We have the capability to search our logs for security incidents d) We are on schedule to monitor every public endpoint using a Web Application Firewall (WAF), ensuring that all traffic is logged with patterns to detect any suspicious behavior e) We aim to enable automatic processes to ensure no production data is changed without systematic audits f) The data visualization tool has login credentials with role-based access 3) Management’s Role: Our board of directors has ultimate oversight of cybersecurity risk. Our VP of Engineering and Platform Engineering Manager lead cybersecurity risk assessment and management efforts, collaborating closely with the interim CEO for guidance, strategic direction, alignment with business objectives, and environment. a) The Platform Engineering Manager has over 5 years of experience and holds a bachelor’s degree in computer science. The VP of Digital Engineering brings 19 years of expertise in digital transformations across various industries, holding leadership roles at Nordstrom, Walgreens, T-Mobile, and Sony PlayStation, with a Master’s degree in Business Administration from the University of Michigan b) We stay informed by utilizing online SOX and SOC II policy documents c) We have robust logging systems in place to monitor our systems, and our response plan includes promptly identifying the executives and parties affected 4) Governance: Our governance includes routing all production changes through approval processes and testing in the test environment before implementation in production. a) We adhere to SOX regulations to ensure proper documentation and signoffs for any production data alterations due to incorrect data entry b) In the event of changes, we document the reason for the update, the responsible individual, and the details of what was modified (both before and after). Additionally, all modifications undergo verification by at least one individual before and after the change c) The board holds oversight of the Company’s risks related to cybersecurity risks. Our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. -12- Table of Contents

Company Information

SIC DescriptionServices-Prepackaged Software
TickerMFON - OTC
CategoryNon-accelerated filer
Smaller reporting company
Fiscal Year EndDecember 30