Cardlytics, Inc. - (CDLX)

10-K Filing Date: March 14, 2024
ITEM 1C. CYBERSECURITY
Risk management and strategy
We rely on information technology and data to operate our business and develop, market and deliver our products and services to our customers. A critical part of our strategy involves focusing on gathering data without collecting, maintaining or using sensitive personal data such as social security numbers, credit card numbers, financial account information or medical records. The Cardlytics platform is designed so that we do not receive or have access to any PII from our FI partners. We only perform targeted marketing using data that has undergone processing such that it is only linked to anonymized identifiers.
We have implemented and maintain various information security risk assessment processes intended to identify cybersecurity threats, determine their likelihood of occurring, and assess potential material impact to our business. Based on our assessment, we implement and maintain risk management processes designed to protect the confidentiality, integrity and availability of our information assets and mitigate harm to our business.
Risks from cybersecurity threats are among those that we address in our general risk management program, where we conduct investigations and take actions as required to assess risks to the organization and take mitigating actions to reduce, eliminate or manage risks. Risk assessments are performed quarterly as part of this program and the results are discussed and reviewed with management.
We identify such threats by, among other things, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, logging and monitoring our IT environment, conducting threat assessments for internal and external threats and conducting vulnerability assessments to identify vulnerabilities.
We rely on a multidisciplinary team (including from our information security function, management, and third-party service providers) to assess how cybersecurity threats could impact our business. We assess the likelihood that such threats could result in a material impact to our information assets, operations, ability to provide our goods and services, our core business functions, customer acquisition and retention, personnel, reputation and identified critical business objectives.
Based on our assessment process, we implement and maintain various technical, physical and organizational measures designed to manage and mitigate such risks and potential material impacts. We may implement measures designed to prevent, detect, respond to, mitigate and recover from identified and significant cybersecurity threats. We prioritize our efforts based on the threats that are more likely to lead to a material impact to our business, such as ransomware, theft of IP and interruption of services. The risk management and reduction measures we implement, depending on the computing environment or system, may include the following: policies and procedures designed to address cybersecurity threats, including an incident response plan, vulnerability management policy, disaster recovery/business continuity plans and clear desk policies; threat detection and incident response; internal and/or external audits to assess our exposure to cybersecurity threats, environment, compliance with risk mitigation procedures, and effectiveness of relevant controls; documented risk assessments; implementation of security standards and certifications; credit and background checks on our personnel and contractors; encryption of data; network security controls; threat modeling; data segregation; physical and electronic access controls; physical security; asset management, tracking and disposal; continuous monitoring for potential intrusions; vendor risk management program; employee security training; penetration testing; cyber insurance; and a dedicated cybersecurity staff and officer.
We work with third parties from time to time that assist us to identify, assess and manage cybersecurity risks, including professional services firms to conduct SOC 2, Type II assessments, incident response consultants, cybersecurity software providers, managed cybersecurity service providers, penetration testing firms and other vendors that help to identify, assess, or manage cybersecurity risks.
To operate our business, we utilize certain third-party service providers to perform a variety of functions, such as professional services, SaaS platforms, managed services, cloud-based infrastructure, data center facilities, encryption and authentication technology and other functions. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider related to the services they provide or the information they process, conducting security assessments, conducting on-site inspections, requiring their completion of written

37



questionnaires regarding their services and data handling practices and conducting periodic re-assessments during their engagement.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, refer to our risk factors under Part 1. Item 1A. "Risk Factors" in this Annual Report, including "An actual or perceived breach of the security of our systems, or those of third parties upon which we rely, could result in adverse consequences resulting from such breach, including but not limited to a disruption of our operations, reputational harm, loss of revenue or profits, loss of customers, regulatory investigations or actions, litigation, fines and penalties and other adverse consequences."
Governance
Our board of directors addresses the Company's cybersecurity risk management as part of its general oversight function. The board of directors along with the audit committee is responsible for overseeing Company's cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
Our cybersecurity risk management strategy relies on input from management, including the Chief Technology Officer, Chief Legal and Privacy Officer, Chief Operating Officer, and Chief Financial Officer, who report to the Chief Executive Officer, as well as the Chief Information Security Officer, to help us understand cybersecurity risks, establish priorities, determine the scope and details of our cybersecurity program and implement it. Management is also responsible for hiring appropriate personnel, integrating cybersecurity considerations into our overall risk management strategy, and for communicating key priorities to employees. Our cybersecurity incident response and vulnerability management processes involve management, who participates in our disclosure controls and procedures.
Every six months, management discusses cybersecurity risk and reviews our cybersecurity program. Management is also responsible for approving budgets, helping prepare for cybersecurity incidents, responding to cybersecurity incidents, approving cybersecurity policies and procedures, reviewing audit reports, and reporting to the board of directors regarding cybersecurity matters.
Management is involved with our efforts to prevent, detect, and mitigate cybersecurity incidents by overseeing and testing of incident response plans. Management participates in cybersecurity incident response efforts by being a member of the incident response team and helping direct our response to cybersecurity incidents.
Our board of directors oversees our risk management strategy with respect to cybersecurity risks and threats. The board, through its audit committee, holds regular meetings quarterly to discuss issues including our cybersecurity threats, and has a dedicated agenda during such meetings that are designed to assist the audit committee to exercise its oversight function. The meetings involve presentations and reports from the Chief Information Security Officer and management, including updates on contemporary cybersecurity threats faced by us and steps we are taking to address them.