SEMrush Holdings, Inc. - (SEMR)

10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We are committed to developing and maintaining cybersecurity policies and procedures that are designed to protect the Company against risks from continually evolving cybersecurity threats.
Our cybersecurity program maintains processes designed to identify, measure, and mitigate cybersecurity risks. These processes include internal semi-annual technical audits of existing cybersecurity controls, which are informed by industry standards and frameworks including, but not limited to, the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Center for Internal Controls (CIS) critical security controls. These audits are informed by interviews with Company stakeholders to inform cybersecurity priorities.
Our cybersecurity program also includes external and internal penetration tests and vulnerability assessments. We also operate a bug bounty program to encourage proactive vulnerability reporting, and conduct employee training. Additionally, we take part in ongoing cybersecurity industry research and cybersecurity framework development.
We provide periodic updates on cybersecurity risk identification, assessment, and mitigation to executive management, the Audit Committee of the Board of Directors, and the full Board of Directors. Based on their feedback, and in combination with a continuous maturity self-assessment process, we make periodic personnel, processes, or technology adjustments for the cybersecurity program, as appropriate.
To address cybersecurity risks posed by third-party vendors, our cybersecurity program includes processes for third-party vendor risk assessment and management. Based on the sensitivity of the data involved and other business context, our vendor evaluation process may include technical assessments, questionnaires, market analysis, and reviewing references. Based on this information, vendors may be continuously monitored, and reassessments may be conducted on a periodic basis to evaluate ongoing compliance.
Although risks from cybersecurity threats have to date not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats and security incidents relating to our and our third party vendors’ information systems. For more information, see Item 1A. Risk Factors.
Governance Related to Cybersecurity Risks
Our cybersecurity program is directed by our Chief Information Officer (“CIO”), along with the Senior Vice President ("SVP") of Information Security. Our CIO has over twenty-five (25) years of experience in the information technology (“IT”) industry, where he has held various chief information officer and technology leadership roles, including as the chief information officer at a public technology company. Our
44



SVP of Information Security also has over twenty-five (25) years of experience in the IT and information security industries, and previously served as the chief information security officer at a public technology company.
The CIO reports to senior management on the Company’s cybersecurity governance program. Our CIO and SVP of Information Security are members of our cyber resilience steering committee. This committee consists of leaders across the Company in the areas of information security, governance, and oversight. The committee meets periodically and as needed to, as relevant, discuss oversight of the Company’s cybersecurity program, program enhancements, and emerging cybersecurity risks or threats.
Our Board of Directors holds ultimate responsibility for risk oversight, including cybersecurity. The CIO provides an annual cybersecurity update to the Board. Our Audit Committee, pursuant to its charter, has been tasked by our Board with oversight of cybersecurity risk management. The CIO and SVP of Information Technology report to the Audit Committee on cybersecurity matters on a periodic basis.