Rumble Inc. - (RUM)
10-K Filing Date: March 27, 2024
Risk Management and Strategy
The success of our business operations depends on the security, confidentiality, integrity and availability, of confidential and sensitive information. Such information includes personal information that we collect and process on our own and using systems and platforms provided by our vendors and other third parties on which we rely. Consequently, we maintain a data protection program, which includes physical, technical, and administrative safeguards, designed to identify, prevent, and mitigate the risks posed by cybersecurity threats, and to identify, analyze, address, mitigate and remediate any cybersecurity incidents that may happen in an efficient and timely manner. As part of our program:
● | We have implemented and maintain our policies, procedures and processes (PPP) related to the functioning of information technology within the company. The PPP are custom-tailored for the specific needs of the company – such as the nature and scale of the personal information that we collect and process – and incorporate controls and frameworks set forth by organizations such as the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). Our internal Risk Management Committee, described below, reviews our PPP at least annually to assure continuing relevance and effectiveness. |
● | We maintain a dedicated, fully staffed and qualified Information Security team that reports to the office of the Chief Technology Officer (CTO) and is currently led by the Director of Information Security (InfoSec). Combined, these individuals have more than 50 years of experience related to corporate information security governance, data and network security, data governance, risk management, and overall secure practices involved with InfoSec. |
● | We have implemented a risk management process and formed a Risk Management Committee, which consists of members of our management team, including members with technical expertise, to identify, evaluate and categorize any potential InfoSec risks. |
● | We perform vulnerability testing and penetration testing at routine intervals to assure that our InfoSec posture remains vigilant. |
● | We utilize and maintain third-party security vendors, as necessary, to provide assistance with a variety of security efforts. |
● | We are reviewing our security training protocols to ensure all employees received annual security training for all employees. This security training will be focused on overall InfoSec, privacy best practices, and review of company policies. |
● | We have formed and maintain 24/7 Security Operations Center (SOC)/Network Operations Center (NOC) that continually monitors our key systems and logs. |
● | We have an Incident Response (IR) and escalation process that is designed to detect cyber incidents and react in an appropriate manner to reduce any related damage. |
● | We conduct tabletop exercises related to Business Continuity Planning (BCP) and Disaster Recovery (DR), as well as Incident Response (IR) for our SOC/NOC Operations team |
● | Our Board of Directors (the “Board”) is regularly updated regarding the current state of InfoSec, its future roadmap, and any significant or material cybersecurity incidents. |
Cybersecurity Governance
Our Board actively oversees our risk management activities and considers various risk topics throughout the year, including cybersecurity and information security risk management and controls. As part of its oversight function, the Board oversees the Company’s risk assessment and risk management policies, including related to cybersecurity and the data protection program, and performs an annual review and assessment of the primary operational and regulatory risks facing the Company, their relative magnitude and management’s plan for mitigating these risks.
31
As appropriate, our CTO and Director of InfoSec report to the Board on a broad range of topics, including any significant cybersecurity risks, the status of ongoing projects, future roadmap planning, updates to the company’s PPP, and other relevant updates to our InfoSec operations and stance. In addition, our Incident Response process is designed to ensure that the Board receives timely notifications and reports, particularly with respect to any material cybersecurity incident, so that they are aware of any material incident and can provide oversight and direction as part of the response and remediation process.
Our senior management is responsible for assessing and managing the Company’s various exposures to risk, including those related to cybersecurity, on a day-to-day basis, including the identification of risks through an enterprise risk management framework and the creation of appropriate risk management programs and policies to address such risks. Our Risk Management Committee is responsible for assessing and categorizing any significant identifiable risks and presenting them to senior management in a timely manner along with recommendations on how to manage these identified risks. All potential risks are identified, quantified, and categorized in such a manner that they can be ranked and presented to senior management for appropriate disposition (such as avoidance, acceptance, mitigation, etc.). Our CTO and Director of InfoSec have the primary responsibility for managing our cybersecurity program and efforts. They are advised by our General Counsel, who has extensive government experience with cybersecurity issues and regulations. We perform internal audits of our internal information technology controls and implementation, and we carry out a tabletop exercise at least once each year to determine our ability to respond to cybersecurity incidents in an effective and efficient manner.
Our information technology team have decades of operational experience both in private as well as classified government settings, advanced degrees in the information technology field from accredited universities, certifications within their areas of expertise (e.g., Certified Information Systems Security Professional (CISSP), Operating Systems Certifications, Network Engineering certifications, etc.).