MAGNITE, INC. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

MAGNITE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:14:09 EST.

Filings

10-K filed on 2026-02-25

MAGNITE, INC. filed a 10-K at 2026-02-25 16:14:09 EST
Accession Number: 0001595974-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity is a critical aspect of our business. As the world's largest independent omni-channel sell-side advertising platform, we face a multitude of cybersecurity threats, and our customers rely on us to safeguard their data. These challenges make it imperative that we take information security seriously and, as such, we expend considerable resources on cybersecurity. We have implemented a comprehensive cybersecurity framework to identify, assess, and manage risks from cybersecurity threats that may result in adverse effects on the confidentiality, integrity, and availability of our information systems. Cybersecurity matters are overseen by our board of directors, which meets quarterly to review the measures implemented by the Company to identify and mitigate cybersecurity risks. Our Chief Information Security Officer ("CISO") reports to the board quarterly on cybersecurity matters. These reports and presentations are prepared with input from members of our senior management team responsible for overseeing the company's cybersecurity risk management, including the Chief Technology Officer, Chief Financial Officer, Chief Legal Officer, Chief People Officer, and SVP, Engineering, who is responsible for the technical infrastructure and engineering organization. In addition, cybersecurity risks and associated mitigation efforts are assessed by senior management as part of the enterprise risk assessment process that includes reporting to and discussion with the audit committee and our board of directors. Further, cybersecurity controls have been integrated into our disclosure controls and procedures. Our CISO leads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business. Our CISO has extensive background, knowledge and skill in cybersecurity, with over 12 years of experience in establishing and maturing cybersecurity strategies and safeguards in the advertising technology space, from small startups to Fortune 500 companies. She holds a bachelors degree, with a certificate in architecture and systems engineering, and a professional education certificate in AI and machine learning. The CISO receives reports on cybersecurity threats from internal information security personnel and open source intelligence on an ongoing basis and, in conjunction with management, regularly reviews risk management measures implemented by the Company to identify and mitigate cybersecurity risks. These sources all contribute to the building of a comprehensive threat profile for Magnite. The CISO attends meetings of the board of directors to report on any material developments. The Company has protocols by which cybersecurity incidents are reported promptly to management and the legal team. The Company maintains information security policies which outline the relationship between employees and information technologies and systems within the Company, and set guidelines on how such technologies and systems should and should not be used. These policies are revised regularly by the CISO and reviewed and acknowledged by all Company employees in conjunction with annual cybersecurity training. The security policies outline the requirements for system configuration and administration of systems within the Company, and include steps for reporting cybersecurity incidents and informing and involving senior management and other key stakeholders as appropriate. With respect to incident response, the Company has adopted an Incident Response Plan (an "IRP") that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to security incidents, including malware, hacking, data breach (including third-party data breach), and other types of vulnerabilities. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, and provides triage workflows for individuals to follow. Our incident response process is generally based on the NIST Cybersecurity Framework and customized for our business and focuses on four phases: 1) Preparation; 2) Detection and analysis; 3) Containment, eradication and recovery; and 4) In post-incident remediation. The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services requiring access to secure Company information, and to all devices and network services that are owned or managed by the Company. Our incident response team includes our CISO and the security team, along with various business units as applicable and the team undergoes periodic training which includes exercises on monitoring and detection tools. Security incidents are reviewed by the CISO and the security team as soon as they are discovered or reported. The initial review of a security incident is conducted immediately in order to appropriately determine the severity and urgency of the event, provide the most rapid response possible, and meet disclosure obligations. Key stakeholders and owners of the impacted systems or processes are included in the incident review process and are brought in immediately in the case of potentially critical incidents. All phases of the review process are led by the CISO or another member of the security team, as appropriate. We perform regular vulnerability scanning of our systems in order to confirm that appropriate security controls are in place and function properly in accordance with established policies. We also have ongoing engagements with security consultants, and vendors help us with annual penetration testing and other tasks as needed. We have a robust internal controls framework and process and issue annual SOC 1 Type 2 reports covering our DV+ and SpringServe platforms. We also delivered an audited SOC2 Type 1 report covering our DV+ and SpringServe platforms in 2025. In addition to our internal audit team, we have a dedicated governance, risk and compliance manager who helps promote compliance with our control framework. As detailed elsewhere in this Annual Report on Form 10-K, we also rely on information technology and third-party vendors to support our operations, including our secure processing of personal, confidential, proprietary and other types of information. We use state of the art systems with respect to the type of information processed, and employ processes designed to identify and reduce the potential impact of a security incident with a third-party vendor or customer or otherwise impact the third-party technology and systems we use. Despite ongoing efforts to drive continuous improvement of our and our vendors' ability to protect against cyber-attacks, we may not be able to protect all information systems at all times. Any incidents may lead to reputational harm, revenue and client loss, legal actions, statutory penalties, among other consequences. Although we maintain a robust cybersecurity program, due to the evolving cybersecurity threat landscape, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. While we are not aware of any risks from cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. To mitigate against such risks, the company carries cybersecurity insurance that provides protection against potential losses arising from a cybersecurity incident. Refer to Item 1A. "Risk Factors" for additional information related to cybersecurity risks and the impact they may have on our operations.

Company Information