Digital Turbine, Inc. 10-K Cybersecurity GRC - 2025-06-16

Page last updated on June 17, 2025

Digital Turbine, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-06-16 16:51:52 EDT.

Filings

10-K filed on 2025-06-16

Digital Turbine, Inc. filed a 10-K at 2025-06-16 16:51:52 EDT
Accession Number: 0001628280-25-031628

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We maintain a comprehensive process for identifying, assessing, and managing material risks from cybersecurity threats as part of our broader risk management system and processes . This cybersecurity risk management process includes a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access and other security incidents and vulnerabilities. As part of our cybersecurity risk management process, we conduct regular application security assessments, vulnerability management, external penetration testing, security audits, and risk assessments. We leverage third-party security service providers to provide continuous and uninterrupted identification and mitigation of risk-prioritized security events. We maintain an incident response plan that is utilized when incidents are detected. Our incident response plan coordinates the activities that we and our third-party cybersecurity provider take to prepare to respond, recover from and mitigate cybersecurity incidents, which include processes to assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational harm. We require employees with access to information systems, including all corporate employees, to undertake data protection, cybersecurity, privacy and compliance programs at least annually. We maintain a team of dedicated security and compliance professionals who oversee cybersecurity risk management, mitigation, incident prevention, detection, and remediation, which is led by our Chief Information Security Officer. The team has deep cybersecurity experience with an average tenure of over 20 years with expertise in protecting critical assets for top firms in a myriad of different industries. We leverage SOC 2 Type 2 attestation framework to determine the operating effectiveness of our internal security controls and use NIST Cybersecurity framework to better understand, manage and reduce cybersecurity risk and protect our business from ever-changing cyber threats. We achieved SOC 2 Type 2 attestation this fiscal year, demonstrating the operating effectiveness of our internal security controls and our commitment to industry-leading information security standards. This attestation provides assurance to stakeholders that Digital Turbine’s systems and processes are regularly audited by independent third parties to verify compliance with rigorous security and privacy requirements. As part of our cybersecurity risk management process, we contractually require third-party service providers to implement and maintain key security measures in connection with their work with us when appropriate that is consistent with applicable laws. Additionally, our third-party service providers are to promptly report any breach of their security measures or systems that may affect our Company. Our security and compliance professionals track and log privacy and security incidents across our vendors and other third-party service providers to remediate and resolve any such incidents. Significant incidents associated with our vendors and service providers are reviewed regularly to determine whether further escalation is appropriate. Any incident assessed as potentially being or potentially becoming material is immediately escalated for further assessment, and then reported to designated members of our senior management. Governance Our executive leadership team , along with input from the above team, are responsible for our overall enterprise risk management system and processes and regularly consider cybersecurity risks in the context of other material risks to the Company. Senior management regularly discusses on at least a quarterly basis and otherwise as needed, cyber risks and trends and, should they arise, any material incidents with the Audit Committee. The Audit Committee has oversight responsibility over our cybersecurity risk management process , including risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats , but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Part I, Item 1A Risk Factors of this Annual Report on Form 10-K, including the risk factor titled “System security risks, data protection breaches, cyber-attacks, and systems integration issues could disrupt our internal operations or information technology services provided to customers, and any such disruption could reduce our expected revenue, increase our expenses, damage our reputation, and adversely affect our stock price.”

Company Information