Certara, Inc. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

Certara, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:30:08 EST.

Filings

10-K filed on 2025-02-26

Certara, Inc. filed a 10-K at 2025-02-26 16:30:08 EST
Accession Number: 0001827090-25-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We are committed to safeguarding our customers’ information that is shared with us in the application of the software and services we contractually provide to them. Our information systems, including our cybersecurity program, risk management systems and processes and governance, reflect our dedication to meeting industry cybersecurity standards. Risk Management and Strategy We have implemented a comprehensive cybersecurity and data privacy program as part of our risk management processes to assess, identify and manage risks posed to our business by cybersecurity threats. We embed cybersecurity considerations into every material aspect of our operations, and our focus encompasses a proactive approach that involves continuous monitoring to swiftly detect and respond to cybersecurity threats. Our cybersecurity risk management processes are grounded in industry best practices, including NIST 800-53, ISO 27001, CIS Top 18, OWASP Top 10, and Security by Design and are intended to prevent adverse effects on the confidentiality, integrity and availability of our information systems and information residing therein. Our cybersecurity processes have been integrated into our risk management processes in order for us to assess, identify, and manage risks related to cybersecurity threats and ensure compliance with our legal and contractual obligations, which require us to safeguard the confidential and sensitive information provided to us by our customers. For example, we use various methods and tools to identify and assess cybersecurity threats across all assets in our technical landscape, such as vulnerability scanning, penetration testing, threat intelligence, risk assessments, and audits from customers. We regularly engage third-party assessors, service providers, consultants, and auditors to support and review our risk management processes and to provide independent validation and verification of our security posture. We have established processes to oversee and identify risks from cybersecurity threats associated with our use of third-party assessors and service providers , such as due diligence, contractual language, monitoring and periodic vendor evaluation and qualification. We maintain robust cybersecurity threat procedures, which includes escalating threats to the appropriate level of risk management, mitigation, remediation and the assessment of materiality of cybersecurity threats, or a series of related incidents, that may materially affect or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. We disclose information regarding our cybersecurity and privacy program and practices on our website and in our public-facing notices. Furthermore, we conduct annual cybersecurity awareness training for our employees in order to provide them with the knowledge necessary to navigate the digital landscape securely. We understand that cybersecurity is not a static concept but a dynamic discipline, and our security and privacy program reflects this by incorporating internal and third-party audits, penetration testing, active vulnerability scanning and a continuous improvement mindset. As of December 31, 2024, we were not aware of any cybersecurity threats that have materially affected, or are reasonably likely to affect, the Company, including its business strategy, results of operations or financial condition. As discussed more fully under Part 1, Item 1A. Risk Factors, the sophistication of cyber threats continues to increase, and the preventative actions the Company takes to reduce the risk of cyber incidents and protect its systems and information may be insufficient. No matter how well designed or implemented the Company’s cybersecurity controls are, it will not be able to anticipate all security breaches, and it may not be able to implement effective preventive measures against cybersecurity breaches in a timely manner. See Part 1, Item 1A. Risk Factors entitled “Risks Related to Intellectual Property, Information Technology and Data Privacy” included elsewhere in this Annual Report on Form 10-K. Governance We have established a corporate governance structure that provides oversight and guidance for our cybersecurity and data privacy program. Our Board of Directors (the “Board”) is responsible for the oversight of our cybersecurity and privacy program and risks from cybersecurity threats. Our Board’s Audit Committee, which supports the Board in its oversight of our cybersecurity and data privacy program, is focused on cybersecurity and data privacy risk, including incident response planning, and timely identification and assessment of cybersecurity threats, cybersecurity incident recovery and business continuity considerations. We have defined roles and responsibilities for our assessment and management of risks related to cybersecurity threats, including specific executive-level and management-level positions or committees. Our cybersecurity and privacy program is overseen by our Security and Privacy Program Office (“SPPO”) , which is composed of corporate leadership from legal and information technology (“IT”). The SPPO reports to our Head of Information Technology, who is the accountable executive for our cybersecurity program. Our function and business unit executive leadership, acting in support of our SPPO, is responsible for ensuring organizational compliance with data protection safeguard regulations and related risk controls across our organization. Our Head of Information Technology and our Director, Compliance Standards & Data Privacy (“DCSDP”), are responsible for the design, implementation, and monitoring of the cybersecurity and data privacy policies, standards, procedures, and controls that govern our information systems and data processing activities. Our Head of Information Technology has more than 30 years of experience in IT infrastructure, cybersecurity operations, and site reliability engineering for a wide range of software and service organizations, with the last 16 years focused on SaaS software businesses with access to sensitive customer data. The DCSDP also has over 30 years in IT with the last 13 focused on compliance and data privacy issues for Certara. Our Head of Information Technology and DCSDP report to our General Counsel, as well as to our Board through its Audit Committee. The IT Security team and DCSDP coordinate the response and remediation of cybersecurity incidents and data breaches and report on the status and effectiveness of the security and privacy program to the SPPO, the Board and the Audit Committee on a quarterly basis, or more frequently as needed. We have established processes to ensure that management is informed about and monitors cybersecurity threat prevention, detection, mitigation, and, if necessary, cybersecurity incident remediation. These processes include regular reporting, escalation, and communication protocols, as well as periodic reviews and audits of our cybersecurity and data privacy program.

Company Information