COSTAR GROUP, INC. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 26, 2026

COSTAR GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 18:14:36 EST.

Filings

10-K filed on 2026-02-25

COSTAR GROUP, INC. filed a 10-K at 2026-02-25 18:14:36 EST
Accession Number: 0001057352-26-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program is guided by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements at all times; rather, we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks 34 relevant to our business. Additionally, we engage a third-party vendor regularly to benchmark our information security program's maturity against the NIST CSF. Our cybersecurity risk management program is integrated into our overall risk management program and shares common methodologies, reporting channels, and governance processes that apply across the Company's risk management program. Key elements of our cybersecurity risk management program include, but are not limited to the following: a. Internal and external asset identification, assessment, monitoring, and classification procedures to evaluate cybersecurity risks and inform mitigation efforts; b. A security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our cyber processes, and (3) our cyber threat and incident response; c. The use of external service providers, where appropriate, to assess defenses, analyze threat intelligence, or otherwise assist with aspects of our security controls; d. Cybersecurity awareness training of our employees, software development teams, incident response personnel, and senior management; e. A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and regular tabletop exercises to assess our response readiness; f. A third-party risk management process for key service providers, suppliers, and vendors who access critical systems and data based on risk profile; and g. A formal information security training program for all employees. We have not identified material risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents that have materially affected our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors - "Cyberattacks and security vulnerabilities could result in material harm to our reputation, business, and financial condition." and "Technical problems or disruptions that affect either our customers' ability to access our services, or the software, internal applications, database, and network systems underlying our services, could damage our reputation and lead to reduced demand for our online marketplace services, information, and analytics, lower revenue and increase costs." Cybersecurity Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and generative AI risks, controls, and procedures. Our Chief Technology Officer (CTO) is responsible for oversight of our cybersecurity risk management program. Our Vice President of Cyber Security (VPCS), who reports up to the CTO, is responsible for day-to-day assessment and management of cybersecurity risk , including supervising both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our CTO is also responsible for overseeing the material risks and strategic opportunities associated with AI. Our Audit Committee receives reports from the CTO on our cybersecurity risks and our use of AI. In addition, the CTO updates the Audit Committee, as necessary, regarding any significant cybersecurity incidents. The Audit Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity and AI. Our CTO and VPCS assist the management team in staying informed about and monitoring the prevention, detection, mitigation, and remediation of cybersecurity threats. Our CTO has over 25 years of information technology experience, including leadership experience managing global product development, information security, IT infrastructure and engineering. He holds a M.S. in information systems from George Washington University and a B.A. in computer science from State University of New York-Geneseo. The VPCS has over 20 years of information security and technology experience, including 10 years in senior leadership roles in service provider, enterprise, and military environments. He holds an MBA from Georgetown University, a M.S. in information systems from Virginia Tech University, and a B.S. in computer information technology from Purdue University. Additionally, our management team's experience includes industry-recognized certifications, such as CISSP, CISM, and CISA, decades of experience as part of our IT team, and previous cybersecurity leadership positions at various Fortune 500 companies and U.S. Defense contractors. 35 The CTO and VPCS are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Company Information