Red Violet, Inc. 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 4, 2026

Red Violet, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 16:45:46 EST.

Filings

10-K filed on 2026-03-04

Red Violet, Inc. filed a 10-K at 2026-03-04 16:45:46 EST
Accession Number: 0001193125-26-091708

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Risk Management and Strategy We have implemented and maintained a comprehensive information security program designed to protect the confidentiality, integrity, and availability of our critical systems and information, as well as to identify, assess, manage, mitigate, and respond to cybersecurity threats. Our systems and processes are assessed by independent third parties for compliance with: the International Standard 20 Organization ("ISO") 27001:2022; System and Organization Controls ("SOC") 2, Type 2; and Payment Card Industry Data Security Standards ("PCI DSS") Level 1. Our information security program includes the following key elements to help identify, manage, mitigate, and respond to cybersecurity threats: - Risk assessments -We conduct annual enterprise-wide risk assessments designed to identify material cybersecurity risks to our operations, quantify the impact and probability of each identified risk, develop and implement mitigating controls, and reassess previously identified risks on an ongoing basis. - Testing -We conduct monthly vulnerability assessments and annual penetration testing of our systems and controls to identify and remediate potential vulnerabilities. Our testing program includes both automated scanning and manual security assessments performed by qualified internal and external security professionals. - Technical safeguards -We utilize multiple layers of technical safeguards designed to protect our information systems from cybersecurity threats, including network security controls, endpoint protection, data encryption, access controls, and security monitoring tools. We regularly review and update our technical safeguards in accordance with industry best practices and evolving threat landscapes. - Business continuity and disaster recovery planning -We maintain comprehensive business continuity and disaster recovery plans that are tested at least annually to ensure our ability to maintain critical operations and recover from potential disruptions, including those resulting from cybersecurity incidents. - Cybersecurity Incident Response -We maintain a cybersecurity incident response plan that governs the identification, containment, investigation, remediation, and reporting of cybersecurity incidents. We have designated an Incident Response Team with clearly defined roles and responsibilities, including escalation procedures to senior management and legal counsel for potentially material incidents. Our incident response procedures include protocols for timely communication with affected parties and regulatory authorities as required. - Cybersecurity insurance -We maintain cybersecurity insurance coverage designed to mitigate financial risks associated with cybersecurity incidents, including costs related to incident response, forensic investigation, legal expenses, regulatory fines, and business interruption. - Employee training and awareness programs -We provide mandatory annual cybersecurity training to all employees designed to help identify, avoid, and mitigate cybersecurity threats. Our training program includes insider threat awareness, simulated phishing exercises, secure coding practices for development personnel, and role-specific security training tailored to employee responsibilities. Additionally, our training program includes education on the secure and responsible use of AI and generative AI tools, covering topics such as data privacy considerations, prohibited uses of confidential information in AI systems, output validation requirements, and compliance with our AI usage policies. - Third-party risk management - We maintain a third-party risk management program designed to identify, assess, manage, and mitigate risks associated with our vendors, service providers, and other third parties. This program includes security assessments of vendors prior to engagement, contractual security requirements, and ongoing monitoring of vendors with access to our systems or sensitive data. We regularly review our information security program and associated policies, making periodic updates as we deem necessary and appropriate in accordance with recognized best practices and standards. Governance Our information security program and cyber risk management program is managed and overseen by Jeff Dell, our Chief Information Officer ("CIO") and a team of information security personnel reporting to the CIO. Our CIO reports directly to the CEO and is responsible for the assessment and management of material risks for cybersecurity threats. Mr. Dell brings over 30 years of experience in information technology and information security, working as an executive within data-driven companies for the last 25 years, including serving as CIO since our formation in August 2017 and continuing through our Spin-off from cogint. Mr. Dell holds a Bachelor of Science in Business from Arizona State University and has earned GCIA, GCWN, GWAPT and CISSP certifications. For additional information regarding Mr. Dell's business experience, see Part 1, Item 1 Business - Information About Our Executive Officers included in this Annual Report. 21 Management holds monthly Information Security Management System (ISMS) meetings which include stakeholders, senior management as well as the CIO and other key individuals reporting to the CIO. Cybersecurity risks, threats, and vulnerabilities, as well as existing mitigating controls, are discussed in ISMS meetings. Our CIO also provides quarterly reports of our information security and IT compliance program, as well as any material cybersecurity risks, to the Board of Directors . We did not experience a material cybersecurity incident during the year ended December 31, 2025, which has materially affected or is reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, the possibility of future cybersecurity incidents, as well as cybersecurity and technology risks more generally, could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. See "Item 1A. Risk Factors - Cybersecurity and Technology Risks" for more information.

Company Information