MeridianLink, Inc. - (MLNK)
10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We take seriously the security of the data entrusted to us by our customers and the confidentiality, integrity, and availability of our platforms. We have integrated cybersecurity risk management into our broader enterprise risk management framework in an effort to protect our applications, networks, and systems from risks from cybersecurity threats. This strategic integration allows cybersecurity risk management to inform early decision-making processes across the organization.
We recognize the ever-evolving nature of cybersecurity risks. Our cybersecurity risk management program leverages recognized industry standards and incorporates elements of the same, including elements of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. MeridianLink also conducts periodic penetration testing and operates a bug bounty program to expose weaknesses in our applications, networks, and systems before they can be exploited by malicious actors. Our Governance, Risk, and Compliance, or GRC team, in close collaboration with our Security Operations and Engineering teams, monitors and mitigates evolving risks from cybersecurity threats, prioritizing alignment with our business objectives and operational needs. We view cybersecurity risk management as a shared responsibility, and at a management level, we periodically perform tabletop exercises which simulate real-world cyberattacks.
We also strategically partner with third-party cybersecurity consultants, assessors, and auditors in evaluating and testing our cybersecurity risk management processes and controls. These strategic partnerships are catalysts for the continuous improvement of our cybersecurity risk management posture. Through audits, threat assessments, and collaborative brainstorming sessions on cybersecurity enhancements, these collaborative partnerships help us bridge knowledge gaps, identify best practices and refine our cybersecurity strategies and processes. Further, we leverage these partnerships to identify cybersecurity vulnerabilities and weaknesses and improve our cybersecurity posture.
As part of our cybersecurity risk management program, we maintain processes to proactively manage potential risks posed by third-party vendors. This involves conducting cybersecurity assessments before onboarding any vendor that may have access to our systems, applications, or data, followed by ongoing monitoring by our GRC team and periodic assessments to evaluate these onboarded vendors’ compliance with our cybersecurity standards.
47
We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, like other companies in our industry, we and our third-party vendors have from time to time experienced threats and security incidents that could affect our information or systems. For more information about the cybersecurity risks we face, see the risk factors in Item 1A- Risk Factors.
Governance
Our board of directors is aware of the importance of managing the evolving and complex cybersecurity threat landscape, and has established oversight measures designed to manage associated cybersecurity risks. The Cybersecurity Committee is a decision-making body formed by our board that is tasked with advising and assisting the Chief Information Security Officer, or CISO, on cybersecurity matters and integrating major cybersecurity initiatives into our broader strategy. The Cybersecurity Committee is composed of board members whose backgrounds collectively include experience in risk management, technology, and finance.
Our CISO leads our cybersecurity risk management program. The individual currently serving in this role has over 20 years of experience designing and building cybersecurity programs, and his background spans multiple industries such as fintech, SaaS, energy/utilities, legal and managed security services. The CISO establishes and supervises procedures for the evaluation of our information systems, including the use of security tools and system reviews designed to spot potential weaknesses. The CISO works to keep up to date with the latest trends in cybersecurity, such as emerging risks and best practices for cybersecurity risk management. In case of a cybersecurity incident, the CISO initiates our incident response plan in an effort to respond to the incident and to reduce the potential damage to our organization.
The CISO briefs the Cybersecurity Committee on cybersecurity risks on at least a quarterly basis. These briefings encompass a range of topics, including, as appropriate, key cybersecurity metrics, the current cybersecurity landscape and emerging threats, the status of ongoing cybersecurity initiatives and strategies, and incident management reports and lessons learned from cybersecurity events. The Cybersecurity Committee and CISO also maintain a continuous dialogue on potential threats. The Cybersecurity Committee annually assesses MeridianLink's cybersecurity posture and risk management efficacy, leading to improvement efforts. The Cybersecurity Committee chair and/or our General Counsel conveys certain cybersecurity updates on the CISO's behalf during board meetings.