CLARIVATE PLC 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

CLARIVATE PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 06:04:50 EST.

Filings

10-K filed on 2026-02-24

CLARIVATE PLC filed a 10-K at 2026-02-24 06:04:50 EST
Accession Number: 0001764046-26-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Cybersecurity Risk Management and Strategy At Clarivate, cybersecurity risk management is an integral part of our Enterprise Risk Management program. Because we are a global information services provider, our business is highly dependent on the protection of our proprietary software and content, as well as the timeliness, accuracy, and availability of our digitally-based offerings. Consequently, we are highly sensitive to risks from cybersecurity threats to our information systems, particularly those threats that would affect our ability to continue to provide real-time access to our database content and analysis. To mitigate these threats, we utilize the following processes and governance structure. Our Information Security Risk Management program is designed to align with ISO 27001 and related information security frameworks to ensure consistent, measurable controls across Clarivate's enterprise. It provides a framework to identify, assess, and control cybersecurity threats and incidents. We conduct an annual information security risk assessment and targeted cybersecurity reviews throughout the year to evaluate emerging threats and control effectiveness. The results of these assessments and reviews are reported to executive management and the Board of Directors (the "Board"). Our cybersecurity efforts also include mandatory information security awareness training for all employees, clearly defined expectations for acceptable use policies, and certification of adherence to our Code of Conduct. The IT Governance, Risk, and Compliance team conducts periodic audits to evaluate policy and regulatory compliance, recording findings for subsequent review and remediation initiatives. We also leverage internal and external security subject matter experts and consultants to conduct comprehensive risk assessments, including architecture reviews, vulnerability scans, penetration tests, application security evaluations, and technical compliance reviews. We maintain a security threat intelligence system that collects and analyzes data from internal vulnerability management tools, vendors, and third-party security organizations. Our patch management standard is designed to ensure that appropriate patching practices are consistently applied to our technology infrastructure, and a security operations center enhances our real-time awareness, event correlation, and incident response capabilities. As part of our risk management program, we also assess cybersecurity risks associated with third-party service providers. We have processes in place designed to oversee and identify material risks from cybersecurity threats associated with our engagement of such providers, including the use of cybersecurity risk criteria when determining the selection and oversight of those service providers. Cybersecurity Governance The Board , acting directly and through its committees, is responsible for the oversight of our risk management programs. The Board's Audit Committee has the delegated responsibility for the oversight of key enterprise risks, including risks from cybersecurity threats. The Audit Committee also provides oversight of our policies and processes for monitoring and mitigating such risks. Among other duties, the Audit Committee receives and reviews periodic reports from management pertaining to cybersecurity programs and data privacy controls, as well as other information security reports that the committee deems appropriate. The Audit Committee meets at least quarterly, and the chair of the committee gives regular reports to the full Board on its activities . Management is responsible for day-to-day risk management activities , including those relating to information systems and cybersecurity. We employ an internal chief information security officer ("CISO") who has more than 25 years of technology industry leadership, cybersecurity expertise, and engineering and operations experience. Our CISO and his team of certified security subject matter experts (collectively, "Information Security") have deep experience and expertise in cybersecurity and lead our organizational efforts to assess and manage material risks associated with our information systems and cybersecurity threats. Our dedicated Information Security Steering Committee regularly reviews our most significant information security risks, strategic projects, and key performance indicators. On a quarterly basis, Information Security also meets with business segment leadership to discuss the most significant risks, including identifying potentially material risks and developing, implementing, and applying reasonable risk mitigation processes. Our risk management programs are developed, implemented, managed, and reviewed under the direction of Information Security and business segment leaders, with subsequent actions determined based on the results of these preventive and detective controls. Our incident response plan defines our procedures when potential security incidents are identified, including the associated escalation path. Depending on the assessed severity of the incident, the Audit Committee or the full Board may be notified immediately or at its next regularly scheduled meeting.

Company Information