Digital Media Solutions, Inc. 10-K Cybersecurity GRC - 2024-04-18

Page last updated on April 18, 2024

Digital Media Solutions, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-18 10:05:29 EDT.

Filings

10-K filed on 2024-04-18

Digital Media Solutions, Inc. filed an 10-K at 2024-04-18 10:05:29 EDT
Accession Number: 0001628280-24-016708

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy As a global company, we are regularly subject to cyberattacks and other cybersecurity incidents. In response, we have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage cybersecurity risks. Our enterprise risk management framework considers cybersecurity risk alongside other company risks as part of our overall risk assessment process. Our enterprise risk management team collaborates with our Information Security function, led by our Chief Security Officer ( CSO ), to gather insights for assessing, identifying and managing cybersecurity threat risks, their severity, and potential mitigations. We are also participants and subscribers in industry cybersecurity intelligence and risk sharing organization to stay abreast of changes in the cybersecurity environment. We assess the Company s Information Security program using an industry cybersecurity framework from the National Institute of Standards and Technology. This program includes policies, processes and procedures that help assess and identify our cybersecurity risks and inform how security measures and controls are developed, implemented and maintained. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls and impact of controls on operations. We maintain internal resources to perform penetration testing designed to simulate evolving tactics and techniques of real-world threat actors, engage with industry partners and law enforcement and intelligence communities and periodic risk interviews across our business. We also engage an independent third party to perform internal and external penetration testing of the Company s information security environment periodically and engage other third parties to periodically conduct assessments of our cybersecurity capabilities. In addition, we continue to expand training and awareness practices to mitigate risk from human error, including mandatory computer-based training and internal communications for employees. Our employees undergo cybersecurity awareness training and regular phishing awareness campaigns that are based upon and designed to emulate real-world contemporary threats. We provide prompt feedback (and, if necessary, additional training or remedial action) based on the results of such exercises. Our processes also address cybersecurity risks associated with our use of third-party service providers including suppliers, software and cloud-based service providers, as well as third-party security firms used in different capacities to provide or operate some of our cybersecurity controls and technology systems. We proactively evaluate the cybersecurity risk of a third party by utilizing a repository of risk assessments, external monitoring sources, and threat intelligence to better inform the Company during contracting and vendor selection processes. Security issues are documented and tracked, and periodic monitoring of third parties is conducted in an effort to mitigate risk. In addition to the processes, technologies, and controls that we have in place to reduce the likelihood of a material cybersecurity incident (or series of related cybersecurity incidents), the Company has a written incident response plan outlining how to address cybersecurity events that occur. The plan sets forth the steps for coordination among various corporate functions and governance groups and serves as a framework for the execution of responsibilities across businesses and operational roles. Our incident response plan is designed to help us coordinate actions to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to assess the need for disclosure, comply with applicable legal obligations and mitigate the impact to our 31 Table of Contents brand and reputation and on impacted parties. We also maintain insurance coverage that, subject to its terms and conditions, is intended to help us cover certain costs associated with cybersecurity incidents and information system failures. We maintain business continuity and disaster recovery plans to prepare for and respond to the potential for a disruption in the technology we rely on. The Company (or the third parties it relies on) may not be able to fully, continuously, or effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine whether and how to implement certain security controls and it is possible that we may not implement the necessary controls if we are unable to recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate cybersecurity risks. Cybersecurity events, when detected by security tools or third parties, may not always be identified immediately or addressed in the manner intended by our cybersecurity incident response plan. Impact of cybersecurity risks on business strategy, results of operations or financial condition Based on the information available as of the date of this Annual Report, we have no reason to believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information, see Risks Related to our Business, in Item 1A, Risk Factors in this Annual Report. Cybersecurity Governance Our cybersecurity risk management and strategy processes are led by our CSO. This individual has over 25 years of professional experience in various roles across multiple industries involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and managing multiple industry and regulatory compliance environments. Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management. Although cybersecurity risk oversight continues to remain a top priority for the Board, the Audit Committee of our Board has primary oversight responsibility for the Company s cybersecurity and other technology risks. The Committee quarterly reviews and discusses with our CSO the Company s cybersecurity, privacy and data security programs, the status of projects to strengthen internal cybersecurity, results from third-party assessments, and any significant cybersecurity incidents, including recent incidents at other companies and the emerging threat landscape. The Committee also reviews with management the implementation and effectiveness of the Company s controls to monitor and mitigate cybersecurity risks.

Company Information