Outbrain Inc. - (OB)
10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We utilize various risk management guides, as well as the protocols of certain certifications as described below to identify, assess, and manage cybersecurity risks relevant to our business through our risk management program. Our cybersecurity risk management program includes a cybersecurity incident response plan.
We use COBIT, or Control Objectives for Information Technologies, as a framework for risk management and manage various controls as required by ISO 27001, 27017 and 27032 standards. We maintain the following certifications: ISO 27001, ISO 27017 and ISO 27032, Cloud Security Alliance Star level 1 and PCI-DSS SAQ A-EP. Our on-premises data centers are SOC 2 certified.
In addition to our certifications, we (i) conduct routine employee training sessions and onboarding security training, including phishing simulations, to increase awareness of phishing and other cyber threats; (ii) require multi-factor authentication access methods for all employees into our network; (iii) operate general monitoring and service protections that are subject to continuous enhancements to detect and mitigate various threats, including performing ongoing manual and automatic vulnerability assessment tests; and (iv) manage an ongoing cyber risk-management framework to assess internal technological changes, as well as external systems and services as part of supply chain risk.
In an effort to detect vulnerabilities or cyber breaches that we have not yet discovered, we regularly run an exhaustive security testing framework, including scanning all internal and external assets for vulnerabilities, utilizing multiple third-party security testing teams every year, and maintaining a bug bounty program.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Our cybersecurity risk management program includes:
•Ongoing risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
•a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
•the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•cybersecurity awareness training of our employees, incident response personnel, and senior management;
•a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
•a third-party risk management process for service providers, suppliers, and vendors.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.
Cybersecurity Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program.
43
The Audit Committee receives quarterly reports from management regarding our cybersecurity risks. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as certain other incidents that have lesser impact potential.
The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from management on our cyber risk management program, including education sessions regarding cybersecurity topics from our Chief Information Officer (CIO) and Chief Information Security Officer (CISO), internal security staff or external experts.
Our Risk Committee, which includes our CEO and other members of management, meets quarterly as part of the Company’s enterprise risk management program, with cybersecurity being the most significant area of review and reporting.
Our security team, including our Governance Risk and Compliance lead (GRC), CISO & CIO, is responsible for assessing and managing our risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our CISO has 25 years experience as a technology leader, with extensive experience within the cybersecurity ecosystem and risk management. He has been certified as a CISO by the Israeli Technion Institute. Our CIO has 15 years experience as a technology leader with extensive cybersecurity experience. He is also CRISC (Certified in Risk and Information Systems Control) certified. Our security team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.