Vivid Seats Inc. - (SEAT)

10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We recognize the importance of maintaining the safety and security of our critical systems, information, products, services and broader information technology environment (collectively, our “Information Systems and Data”), and we have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity and availability thereof.

Cybersecurity risks are addressed as a component of our enterprise risk management program. As such, our information security team works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact on our business. Features of our program include:

periodic risk assessments designed to help identify material cybersecurity risks to our Information Systems and Data;
a security incident response team that is principally responsible for managing our cybersecurity risk assessment processes, security controls and response to cybersecurity incidents;
a cyber and data security incident response plan that establishes policies and procedures for identifying, managing and recovering from cybersecurity incidents, including escalating tiers of notification depending on an incident's nature and severity;
periodic tabletop exercises with management and other employees to discuss and prepare potential cybersecurity incident responses;
the use of third-party service providers, where appropriate, to assess, test and assist with aspects of our security controls;
a third-party risk management process for our service providers, suppliers and partners;
cybersecurity insurance designed to reduce the risk of loss resulting from cybersecurity incidents;
policies and procedures that relate to cybersecurity matters, including those governing encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email and wireless devices; and
required privacy and cybersecurity training (including spear phishing and other awareness training) for employees.

The techniques used to obtain unauthorized access, to disable or degrade service or to sabotage systems change frequently. As a result, we have invested and continue to invest in the security and resiliency of our networks to help protect our Information Systems and Data. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see the “Risk Factors—Risks Related to Information Technology, Cybersecurity and Intellectual Property” section of this Report.

Cybersecurity Governance

Our Board is responsible for overseeing our enterprise risk management activities in general, and each of its committees assists in this role of risk oversight. Our Board has delegated the monitoring and oversight of risks related to cybersecurity and information technology to our Audit Committee, which regularly reports to our Board regarding its activities, including those related to cybersecurity risk management. Our Board also receives periodic briefings

35


 

 

from management on our cybersecurity risk management program, including presentations on cybersecurity topics from our Chief Technology Officer, internal information security team and third-party experts.

Our Audit Committee oversees management’s implementation of our cybersecurity risk management program. Our Audit Committee receives regular updates from our Chief Technology Officer and other members of management on the cybersecurity risks that they view as most relevant to our business, our cybersecurity strategy and current cybersecurity trends, as well as other updates, as necessary, regarding certain cybersecurity incidents.

A cross-functional management team, which includes members of our information security, technical infrastructure, engineering and legal departments, is responsible for identifying, assessing and managing the risks from cybersecurity threats that are relevant to our business (and, depending on a threat’s potential nature and severity, reporting such information to our Audit Committee). This team has primary responsibility for our cybersecurity risk management program, including our cyber and data security incident response plan, supervises our internal personnel and third-party service providers and communicates our cybersecurity risk management processes to senior management, as well as to our Board and Audit Committee. This team reports to our Chief Technology Officer, who has more than 25 years of experience in the technology sector, and possesses more than 75 years of combined experience in cybersecurity matters, including threat assessment and detection, mitigation technologies, incident response, cyber forensics and regulatory compliance. In addition to relevant educational and industry experience, members of this team, including the heads of our information security and technical infrastructure departments, also hold relevant cyber and information security certifications, including from ISACA (Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA)) and ISC2 (Certified Information Systems Security Professional (CSSP)). This team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, including, as appropriate, the operation of our cyber and data security incident response plan, briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including our third-party service providers, and alerts and reports produced by security tools deployed in the information technology environment.