Zedge, Inc. 10-K Cybersecurity GRC - 2025-10-28

Page last updated on October 28, 2025

Zedge, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-10-28 16:15:59 EDT.

Filings

10-K filed on 2025-10-28

Zedge, Inc. filed a 10-K at 2025-10-28 16:15:59 EDT
Accession Number: 0001213900-25-103098

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy Our cybersecurity framework (which includes management of related risks), is based on recognized cybersecurity industry frameworks and standards, including those of the National Institute of Standards and Technology, the Center for Internet Security Controls, and the International Organization for Standardization. We do not certify that we meet any particular technical standards, specifications, or requirements, but we use the aforementioned frameworks and standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. We use these frameworks, together with information collected from internal assessments, to develop policies for the use of our information assets (e.g., IT business information and information resources such as mobile phones, computers and workstations), access to specific intellectual property or technologies, and protection of personal information. We protect these information assets through industry-standard techniques, by strong Identity and Access Management framework, such as Role Based Access Control, Attribute Based Access Control, principle of Least Privilege, Need-to-Know access and multi factor authentication as obligatory second factor to our core resources. We also enhance our endpoint protection by deploying an endpoint detection and response tool. Its core mission is to defend our endpoints and systems against new malware, rootkits, spywares and ransomware. We also work with internal stakeholders across the Company to integrate foundational cybersecurity principles throughout our operations, including the employment of multiple layers of cybersecurity defenses, restricted access based on business needs, and integrity of our business information. We routinely train our employees on cybersecurity awareness on social engineering attacks, confidential information protection, emerging threats and simulated phishing attacks to improve self-awareness of our employees. 45 We have standing engagements with incident response experts and external counsel, including through our cyber insurance. We frequently collaborate with industry experts and cybersecurity practitioners at other companies to exchange intelligence about potential cybersecurity threats, best practices and trends. We continuously monitor and collect insights on the latest vulnerabilities and attack patterns (TTPs) released by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). The annual "Threat Landscape" report published by the European Union Agency for Cybersecurity (ENISA) each October serves as a key strategic intelligence source supporting the hardening and protection of our infrastructure. This report offers a comprehensive perspective on prevalent attack types, mapped across threat vectors and industry domains, accompanied by actionable defense strategies that support effective risk reduction to levels aligned with our organizational tolerance. It allows for the deployment of tailored security measures, enhancing Zedge's ability to withstand evolving cyber risks. We also have our own incident response team who is engaged in dealing with security events triggered by our Security Information and Event Management (SIEM) system. Continuous monitoring of our infrastructure - from endpoint devices to virtual clusters - helps detect potential interception of internal communications, preventing the leakage of business-critical data. Our cybersecurity risk management extends to risks associated with our use of third-party service providers. For instance, we conduct risk and compliance assessments of third-party service providers by checking on a permanent basis every new vendor that is going to cooperate with the Company. The aim is to verify if vendors due diligence and risks associated with it are within our risk tolerance set by management. Our cybersecurity risk management is an important part of our comprehensive business continuity program and enterprise risk management. Our global information security team periodically engages with a cross-functional group of subject matter experts and leaders to assess and refine our cybersecurity risk posture and preparedness. For example, we regularly evaluate and update contingency strategies for our business in the event that a portion of our information resources were to be unavailable due to a cybersecurity incident. We practice our response to potential cybersecurity incidents through regular tabletop exercises, threat hunting and red team exercises. Our vulnerability management program involves regular scanning and testing of systems, endpoints, virtual environments, and cloud-based assets to identify potential software flaws, misconfigurations, or exposure points. Once vulnerabilities are detected, we prioritize remediation based on risk impact and business criticality, ensuring that all gaps are addressed in a timely and effective manner. This proactive approach enables us to maintain a hardened infrastructure, reduce attack surface, and align with industry best practices and regulatory expectations. As part of our secure development lifecycle (SDLC), we conduct both automated and manual code reviews to ensure that the applications we deliver to our users are resilient against exploitation and designed to prevent data leakage. By embedding security controls throughout the development process - from design to deployment - we uphold confidentiality, integrity, and reliability. This approach not only protects sensitive user data, but also reinforces trust in our platform and supports long-term compliance with regulatory frameworks. In response to the growing use of AI, by bad actors, we adapt our internal policies, procedures, and control mechanisms to address AI-driven threats, including: ● Automated phishing campaigns and deepfake content used for impersonation or fraud. ● Malicious code generation via large language models. ● Adversarial attacks that manipulate input data to bypass security algorithms. ● AI-assisted vulnerability scanning and exploitation of system weaknesses. 46 Our multi-layered defense strategy includes: ● Continuous monitoring and anomaly detection powered by machine learning to identify AI-driven attack patterns. ● Enhanced SDLC with static and dynamic code analysis to detect AI-generated vulnerabilities. ● Employee training on AI-related risks, such as synthetic media, prompt injection, and suspicious automation. ● Third-party risk assessments that evaluate the AI capabilities of vendors and partners to prevent external exposures. ● Incident response playbooks tailored to AI-specific scenarios, such as automated botnet coordination or synthetic identity fraud. These practices ensure our organization remains agile, secure, and prepared for the evolving AI-driven threat landscape. Governance of Cybersecurity Risk Management The board of directors, as a whole, has oversight responsibility for our strategic and operational risks and sets associated risk parameters and tolerance levels. The audit committee assists the board of directors with this responsibility by reviewing and discussing the defined risks, its assessment and proposed mitigation strategies, including cybersecurity risks, with members of management. The audit committee, in turn, periodically reports on its review with the board of directors. Management is responsible for day-to-day assessment and management of cybersecurity risks and reports regularly to the audit committee. Zedge's Cybersecurity risk governance has several components that can help our organization understand and implement cybersecurity governance practices achieve long-term cybersecurity goals beyond the day-to-day information security tasks, align with legal and regulatory compliance, and the direction of the Company through: ● Developing a mature cybersecurity culture which ensures that all employees understand they are stakeholders in cybersecurity. Employees not only engage with cybersecurity controls but must be proactive in risk mitigation and remediation. ● Cyber risk assessments which identify cybersecurity business risks and the Company's cybersecurity gaps and vulnerabilities. Using agreed-upon key performance indicators (KPIs), stakeholders can measure the Company's cybersecurity capabilities clearly and objectively. This facilitates our ability to audit the effectiveness of future vulnerabilities and remediation activities. ● An Accountability Framework which measures performance across departments and systems and ensures that those identified as responsible for meeting objectives are aware of the results and work with the cyber risk governance team leader to achieve and enhance them. With consistent feedback and the ability to reference established metrics, we can successfully monitor, review, and enforce cyber risk governance plans. In turn, through these processes, we improve our framework, remediate serious issues, and update organizational cyber risk governance roadmaps accordingly. ● Embedding cybersecurity within the broader enterprise risk management (ERM) strategies to evaluate cyber risks alongside financial, operational, and reputational risks, enabling executive leadership to make informed decisions. ● Leveraging external threat intelligence and collaborating with industry peers, regulatory bodies, and national cybersecurity agencies to adapt to emerging threats. ● Embedding security into software development through deployment, with regular code reviews, SDLC checkpoints, and secure architecture principles. 47 ● Reviewing governance practices, incorporating lessons learned from incidents, audits, and tabletop exercises to refine policies, controls, and strategic priorities. ● Providing transparent cyber risk metrics and governance outcomes to the Board of Directors, ensuring alignment with strategic priorities and positioning cybersecurity as a business enabler.

Company Information