CREDITRISKMONITOR COM INC - (CRMZ)
10-K Filing Date: March 21, 2024
ITEM 1C.
CYBERSECURITY
Risk Management and Strategy
The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats. These cybersecurity processes are integrated into the Company’s overall compliance, risk management, and oversight procedures as overseen by the Company’s board of directors, primarily through its audit committee. These processes also include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. The Company’s process allows us to assess, identify and manage information security and cybersecurity threats through risk assessment and prevention measures to facilitate communication, training, awareness, incident response, and disclosure procedures as required by the SEC.
The Company may review SOC1 or SOC2 reports of certain third-party providers before engagement and has established monitoring procedures in its effort to mitigate risks related to data breaches or other security incidents originating from third parties. The Company engaged a third-party consulting firm to evaluate and test the Company’s risk management systems and to assess and prevent potential cybersecurity incidents as appropriate on an annual basis. The Company has engaged a third party to provide cyber security and awareness training to our employees to help mitigate the risk of threats posed by bad actor requesting information. The Company deploys technical safeguards that are designed to protect information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, redundant data storage and retention methods, anti-malware functionality, security information event management, automated update/patch-management and access controls which are evaluated and improved through vulnerability and exposure assessments and cybersecurity threat intelligence. With the help of our third-party vendors, the Company has implemented several layers of physical security, digital security, and data backup.
12
Governance
Board of Directors -- The audit committee of the Company’s board of directors, with the input of management, oversees the Company’s internal controls, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. The audit committee and the board of directors are informed of material risks from cybersecurity threats by the Company’s Chief Executive Officer, Chief Financial Officer, or the Senior Vice President of Information Technology.
Management -- Under the oversight of the audit committee of the Company’s board of directors, the Senior Vice President of Information Technology, with over 20 years of experience in this field, is primarily responsible for the assessment and management of material cybersecurity risks and establishing and maintaining adequate and effective internal controls covering cybersecurity matters. The Company’s Chief Financial Officer and Senior Vice President of Information Technology, are responsible for overseeing the establishment and effectiveness of controls and other procedures, including controls and procedures related to the public disclosure of material cybersecurity matters. See “Item 1. Risks Related to Information Systems Security - As the threat landscape is ever-changing, the Company must make continuous mitigation efforts, including risk-prioritized controls to protect against known and emerging threats; tools to provide automated monitoring and alerting; frequent employee training; and backup and recovery systems to restore systems and return to normal operations. However, there can be no assurance that the Company’s ability to monitor for or mitigate cybersecurity risks will be fully effective, and the Company may fail to identify cybersecurity breaches or discover them in a timely way.”