Red Violet, Inc. 10-K Item 1C. Cybersecurity - 2026-03-04

Get alerts

Red Violet, Inc. disclosed their cybersecurity strategy, risk management and governance process in an annual SEC Filing 10-K filing on 2026-03-04 16:45:46 EST

Company Summary
Filings
- 10-K filed on 2026-03-04
Company
- Profile

Company Summary

Red Violet, Inc. develops a cloud-native, AI/ML-driven identity intelligence platform (CORE) and related solutions (marketed primarily as IDI and FOREWARN) that provide identity verification, risk mitigation, fraud detection and prevention, due diligence, and regulatory compliance for public and private sector organizations.

Looking for governance insights? View the comprehensive Cyber Governance Profile for Red Violet, Inc..

Filings

10-K filed on 2026-03-04

Red Violet, Inc. filed an SEC Filing 10-K filing on 2026-03-04 16:45:46 EST.
Accession Number: 0001193125-26-091708

Item 1C. Cybersecurity

Item 1C - Cybersecurity

Item 1C. Cybersecurity .

Risk Management and Strategy

We have implemented and maintained a comprehensive information security program designed to protect the confidentiality, integrity, and availability of our critical systems and information, as well as to identify, assess, manage, mitigate, and respond to cybersecurity threats. Our systems and processes are assessed by independent third parties for compliance with: the International Standard

Organization ("ISO") 27001:2022; System and Organization Controls ("SOC") 2, Type 2; and Payment Card Industry Data Security Standards ("PCI DSS") Level 1.

Our information security program includes the following key elements to help identify, manage, mitigate, and respond to cybersecurity threats:

Risk assessments --We conduct annual enterprise-wide risk assessments designed to identify material cybersecurity risks to our operations, quantify the impact and probability of each identified risk, develop and implement mitigating controls, and reassess previously identified risks on an ongoing basis.
Testing --We conduct monthly vulnerability assessments and annual penetration testing of our systems and controls to identify and remediate potential vulnerabilities. Our testing program includes both automated scanning and manual security assessments performed by qualified internal and external security professionals.
Technical safeguards --We utilize multiple layers of technical safeguards designed to protect our information systems from cybersecurity threats, including network security controls, endpoint protection, data encryption, access controls, and security monitoring tools. We regularly review and update our technical safeguards in accordance with industry best practices and evolving threat landscapes.
Business continuity and disaster recovery planning --We maintain comprehensive business continuity and disaster recovery plans that are tested at least annually to ensure our ability to maintain critical operations and recover from potential disruptions, including those resulting from cybersecurity incidents.
Cybersecurity Incident Response --We maintain a cybersecurity incident response plan that governs the identification, containment, investigation, remediation, and reporting of cybersecurity incidents. We have designated an Incident Response Team with clearly defined roles and responsibilities, including escalation procedures to senior management and legal counsel for potentially material incidents. Our incident response procedures include protocols for timely communication with affected parties and regulatory authorities as required.
Cybersecurity insurance --We maintain cybersecurity insurance coverage designed to mitigate financial risks associated with cybersecurity incidents, including costs related to incident response, forensic investigation, legal expenses, regulatory fines, and business interruption.
Employee training and awareness programs --We provide mandatory annual cybersecurity training to all employees designed to help identify, avoid, and mitigate cybersecurity threats. Our training program includes insider threat awareness, simulated phishing exercises, secure coding practices for development personnel, and role-specific security training tailored to employee responsibilities. Additionally, our training program includes education on the secure and responsible use of AI and generative AI tools, covering topics such as data privacy considerations, prohibited uses of confidential information in AI systems, output validation requirements, and compliance with our AI usage policies.
Third-party risk management -- We maintain a third-party risk management program designed to identify, assess, manage, and mitigate risks associated with our vendors, service providers, and other third parties. This program includes security assessments of vendors prior to engagement, contractual security requirements, and ongoing monitoring of vendors with access to our systems or sensitive data.

We regularly review our information security program and associated policies, making periodic updates as we deem necessary and appropriate in accordance with recognized best practices and standards.

Governance

Our information security program and cyber risk management program is managed and overseen by Jeff Dell, our Chief Information Officer ("CIO") and a team of information security personnel reporting to the CIO. Our CIO reports directly to the CEO and is responsible for the assessment and management of material risks for cybersecurity threats. Mr. Dell brings over 30 years of experience in information technology and information security, working as an executive within data-driven companies for the last 25 years, including serving as CIO since our formation in August 2017 and continuing through our Spin-off from cogint. Mr. Dell holds a Bachelor of Science in Business from Arizona State University and has earned GCIA, GCWN, GWAPT and CISSP certifications. For additional information regarding Mr. Dell's business experience, see Part 1, Item 1 Business - Information About Our Executive Officers included in this Annual Report.

Management holds monthly Information Security Management System (ISMS) meetings which include stakeholders, senior management as well as the CIO and other key individuals reporting to the CIO. Cybersecurity risks, threats, and vulnerabilities, as well as existing mitigating controls, are discussed in ISMS meetings. Our CIO also provides quarterly reports of our information security and IT compliance program, as well as any material cybersecurity risks, to the Board of Directors .

We did not experience a material cybersecurity incident during the year ended December 31, 2025, which has materially affected or is reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, the possibility of future cybersecurity incidents, as well as cybersecurity and technology risks more generally, could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. See "Item 1A. Risk Factors - Cybersecurity and Technology Risks" for more information.

Company

Profile

Name	Red Violet, Inc.
CIK	1720116
SIC Description
Industry
Ticker	RDVT
Website
Category
Fiscal Year End	December 31