TechTarget, Inc. 10-K Cybersecurity GRC - 2025-05-28

Page last updated on May 30, 2025

TechTarget, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-28 17:00:34 EDT.

Filings

10-K filed on 2025-05-28

TechTarget, Inc. filed a 10-K at 2025-05-28 17:00:34 EDT
Accession Number: 0000950170-25-078416

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy As is the case for all companies in our industry or with a significant digital presence, we are periodically subject to cyberattacks and other cyber incidents and, therefore, cybersecurity is an integral component of our overall enterprise information security program. We have adopted a multi-layered framework to secure our networks, systems, devices, products and services while also assessing, identifying, and managing cybersecurity risks. That framework is designed to help protect our information assets, operations, and resources from internal and external cyber threats by understanding and seeking to mitigate risks while ensuring business resiliency from unauthorized access or attack. Our cybersecurity policies, standards, and procedures include security risk assessments for high priority systems, third party compliance assessments for external vendors and suppliers, and incident management and breach response plans which are influenced by, and periodically assessed against, recognized cybersecurity frameworks. Our incident management policy is designed to help prevent, manage, and coordinate our response to, and recovery from, potential and confirmed cybersecurity incidents and includes processes to triage, assess the severity of, escalate, contain, investigate and remediate incidents, as well as comply with applicable legal obligations. Informa PLC’s chief information security officer (“CISO”) and Security team have implemented a similar framework and we collaborate on best practices, improvements, and risk assessments. Some Informa TechTarget systems are currently managed within the Informa PLC environments and overseen by the Informa PLC framework. The teams collaborate regularly and share any relevant findings. We seek to enhance our policies and practices to protect our platforms, adapt to changes in regulations, identify potential and emerging security risks and develop mitigation strategies for those risks. For example, we conduct regular risk assessments at planned intervals for high priority systems and/or applications to identify and analyze threats and vulnerabilities, identify controls, identify risk ratings and likelihood and level of potential impact, and provide recommendations for risk reduction, mitigation, acceptance, and avoidance. As part of our overall risk mitigation strategy, we also maintain cyber liability insurance coverage. We regularly engage external parties, including consultants, auditors, and cybersecurity service providers to enhance our cybersecurity oversight. For example, we maintain an ISO 27001 certification for our BrightTALK platform and obtained a SOC 2, Type II report for our Priority Engine platform. These third-party assessments are evaluated and updated regularly. Additionally, we utilize various external parties and tools to assist us with annual penetration testing, cybersecurity and related training, vulnerability and patch management, threat detection and response, and information technology general controls. In order to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers, we have a third-party risk management and assessment program designed to help protect against the misuse of information technology, data, and systems by third parties and business partners generally requiring third-party service providers to complete a security risk assessment, with certain high priority third-party providers undergoing annual risk assessments to determine if they have experienced any changes that could impact their security risk. If any critical risks are identified, we may perform a compliance audit of the third-party to further document findings and to recommend corrective actions. Based on an assessment using the previously described enterprise information security program, we do not believe that there are any risks from known cybersecurity threats, including as a result of any prior security incident s, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, as discussed under “Item 1A. Risk Factors,” specifically the risk titled " The loss of personal, confidential, and/or proprietary information due to our cybersecurity systems or the systems of our customers, vendors, or partners being breached could cause us to incur significant legal and financial exposure and liability, and materially adversely affect our business, operating results and reputation ," the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well our controls are designed or implemented, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner. Cybersecurity Governance and Oversight Our board of directors provides oversight over cybersecurity risk. Our board of directors receives and provides feedback on periodic updates from management regarding cybersecurity and is notified between such updates regarding significant new cybersecurity incidents, if any . Our board of directors also receives periodic briefings on cyber-related issues and accomplishments including, among other things, reviewing key elements of our cybersecurity program, ongoing training initiatives and awareness programs, occurrence of any incidents, and updates regarding third-party certifications and assessments. We have a Privacy and Security Executive Taskforce (“Taskforce”) consisting of executive-level leaders that meets periodically to, among other things, review global trends in privacy, security, and compliance, identify key projects and resource needs, and review operational privacy and security statistics and metrics. Additionally, our Chief Technology Officer (“CTO”) is a member of the Taskforce and manages and oversees a team (the “IT Security Team”) that is responsible for leading company-wide cybersecurity efforts. The IT Security Team works with various business units and departments, including legal, product development, and operations, to help set standards, policies, and processes. The IT Security Team also collaborates closely with the CISO of Informa and his team to, among other things, align strategy, assessments, and tooling. Our CTO along with key members of his IT Security Team have worked in the information security field for many years and are actively involved in our cybersecurity efforts . We also periodically perform tests on aspects of the operations of our cybersecurity program and the supporting control framework and report the results of these audits in reports to our Audit Committee. In an effort to deter and detect cyber threats, we periodically provide all full- and part-time employees with a data privacy, cybersecurity, and incident response training and compliance program, which covers timely and relevant topics, including phishing, malware, password security, confidential data protection, asset use and mobile security, and educates all employees on the importance of reporting all incidents immediately to the Company’s dedicated Incident Management Team. We also use technology-based tools to mitigate cybersecurity risks to bolster our employee based cybersecurity programs.

Company Information