IAC Inc. - (IAC)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Overview
We recognize that the safety and security of our systems, technology and infrastructure (and those of key third-party service providers upon which we rely), as well as our content and confidential or sensitive user and employee information, is critical to maintaining the trust and confidence of our users and subscribers, consumers, advertisers and investors (among other stakeholders). As a result, Company management has established programs and related processes designed to manage cybersecurity issues, including the assessment, identification and management of cybersecurity risks, together with related mitigation and recovery efforts. Our board of directors, directly and through our Audit Committee, oversees Company management in the execution of its cybersecurity responsibilities, including the assessment of the Company’s approach to cybersecurity risk management.
Cybersecurity Risk Management and Strategy
Overview. Our cybersecurity programs and related processes generally consist of the following key elements: (i) risk assessment and management efforts, (ii) technical safeguards and incident response and recovery efforts, (iii) third-party risk management efforts, (iv) education, training and preparedness efforts and (v) governance efforts.
Risk assessment and management efforts. We assess, identify and manage cybersecurity risks as part of a comprehensive information security program that is intended to be aligned with standard industry frameworks, such as International Standard for Organization (ISO) 27000 and the National Institute of Standards and Technology (NIST) Cyber Security Framework.
As part of the ongoing refinement of our information security program, we engage (as appropriate) various third-party risk management services to assist with the identification of potential cybersecurity issues, such as those involving software vulnerabilities, configuration errors, data exposure and credential theft (among others), as well as consult with external legal counsel, third-party experts and other advisors to assist with incident response and recovery efforts, forensic investigations, extortion negotiations and crisis management or readiness for the same. We also maintain a cyber insurance policy to help manage, in part, costs associated with significant cybersecurity incidents that may occur.
In addition, as discussed in more detail below under the caption “Cybersecurity Governance,” the assessment, identification and management of cybersecurity risks have been integrated into our overall enterprise risk management (“ERM”) efforts.
32
Technical safeguards and incident response and recovery efforts. As part of our information security program, we have implemented a number of tools and procedures designed to identify and remediate vulnerabilities and misconfigurations in our applications and infrastructure, as well as manage access and identities throughout their lifecycles. These tools and procedures are intended to be consistent with ISO and NIST frameworks, In addition, we have implemented an incident response policy that outlines established processes for addressing cybersecurity issues that leverages a cross-functional cybersecurity incident response team and outside advisors intended to allow the Company to take action in a timely and decisive manner in compliance with applicable laws, rules and regulations during the response, investigation and remediation of a given cybersecurity incident.
Third-party risk management efforts. In addition to the assessment, identification and management of our own cybersecurity related risks, we also consider and evaluate cybersecurity risks associated with certain third-party service providers upon which we rely for a wide variety of technical and business functions. Our efforts in this regard consist of (among other efforts): (i) security assessments to determine whether key third-party service provider information security procedures meet our expectations, (ii) the use of a monitoring service that detects evidence of the compromise of key third-party provider systems, technology and infrastructure, (iii) assessments designed to identify business and technical risks to our systems, technology and infrastructure posed by key third-party service providers and (iv) the development of strategies to determine the potential adverse impact of, and develop mitigation strategies for, any cybersecurity incidents experienced by key third-party service providers on our business, financial condition and results of operations.
Education, training and preparedness efforts. Education, training and preparedness are an important part of our information security program. In connection with our education and training efforts, we have developed and implemented a set of Company-wide policies and procedures regarding cybersecurity matters that impose responsibility on our employees through the course of their work to: (i) protect our systems, technology, infrastructure and data from cybersecurity threats, (ii) quickly report known or suspected cybersecurity incidents or other suspicious activity through designated channels and respond effectively to such events and (iii) use Company and personal information technology in a secure manner. In addition, we generally mandate information security training for our employees and our software developers generally receive mandatory additional technical training, each on an annual basis. In connection with our preparedness efforts, we periodically participate in tabletop exercises with the goal of helping management effectively respond to cybersecurity incidents that may occur. We also maintain documented incident response policies to help ensure that our response activities are consistent and appropriate.
Governance. See the disclosure under the caption “Cybersecurity Governance” below.
Cybersecurity Governance
Our board of directors is responsible for overseeing Company management’s execution of its cybersecurity responsibilities, including our approach to cybersecurity risk management. Our board of directors executes this oversight in coordination with our Audit Committee, which pursuant to its charter, assists the Board with risk assessment and risk management policies as they relate to cybersecurity risk exposure (among other risk exposures), as well as part of its regularly scheduled meetings and through discussions with Company management on an as needed basis.
In addition, the assessment, identification and management of cybersecurity risks has been integrated into our ERM efforts. As part of that annual process, cybersecurity risks across our businesses are included in the risk universe that our Executive Risk Committee (consisting of members of Company senior management) evaluates to identify our top enterprise risks and develop related mitigation plans. The cybersecurity and other risks are reviewed during the year through our ERM process and discussed with our Audit Committee at least semi-annually and with our board of directors at least annually.
Our Chief Information Security Officer (“CISO”) is responsible for the development and implementation of our information security program on a Company-wide basis, together with a dedicated team of experienced, Company-wide information security analysts. Our CISO has over twenty-five years of experience leading the development, implementation and oversight of information security programs and members of the information security team have relevant certifications, educational and industry experience.
Our CISO is also responsible for reporting on the status of our information security program and related efforts and processes to Company senior management periodically, and to the Audit Committee on a quarterly basis. In addition, our CISO reports cybersecurity matters to Company senior management and the Audit Committee on an as-needed basis. At each regularly scheduled meeting of our board of directors, the Chair of our Audit Committee provides quarterly updates regarding significant matters discussed, reviewed, considered and approved by the committee since the last regularly scheduled board meeting (including cybersecurity matters, as and if applicable), as well as timely updates outside of quarterly updates on an as needed basis. Lastly, our CISO promptly informs Company management and our Audit Committee of cybersecurity incidents that meet established reporting thresholds or when otherwise determined appropriate, as well as provides ongoing updates regarding such incidents until they have been resolved.
33
Cybersecurity Risks
As discussed above and under "Item 1A —Risk Factors—Risk Factors—General Risk Factors," we face a number of cybersecurity risks across our various businesses, and we have experienced threats to and unauthorized intrusions of our systems, technology and infrastructure from time to time. While to our knowledge we have not to date experienced a cybersecurity incident or threat that has materially and adversely affected our business, financial condition and results of operations, we cannot provide assurances that they will not be materially affected in the future by such incidents.