MAGNITE, INC. - (MGNI)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Cybersecurity is a critical aspect of our business. As the world's largest independent omni-channel sell-side advertising platform, we face a multitude of cybersecurity threats, and our customers rely on us to safeguard their data. These challenges make it imperative that we take information security seriously, and we expend considerable resources on cybersecurity. We have implemented a comprehensive cybersecurity program to assess, identify, and manage risks from cybersecurity threats that may result in adverse effects on the confidentiality, integrity, and availability of our information systems.
Cybersecurity matters are overseen by our board of directors, which meets quarterly to review the measures implemented by the Company to identify and mitigate cybersecurity risks. Our chief information security officer (“CISO”) reports to the board quarterly on cybersecurity matters. These reports and presentations are prepared with input from members of our senior management team responsible for overseeing the company’s cybersecurity risk management, including the Chief Technology Officer, Chief Financial Officer, Chief Legal Officer and Chief People Officer. In addition, cybersecurity risks and associated mitigation efforts are assessed by senior management as part of the enterprise risk assessment process that includes reporting to and discussion with the audit committee and our board of directors. In addition, cybersecurity controls have been integrated into our disclosure controls and procedures.
Our CISO, who has extensive cybersecurity knowledge and skills gained from extensive information technology and engineering experience, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business. The CISO receives reports on cybersecurity threats from other internal information security personnel on an ongoing basis and in conjunction with management, regularly reviews risk management measures implemented by the Company to identify and mitigate cybersecurity risks. The CISO also attends meetings of the board of directors to report on any material developments. We have protocols by which certain cybersecurity incidents are reported promptly to management and the legal team.
The Company maintains a general security policy, which outlines the relationship between employees and information technologies and systems within the Company, and sets guidelines on how such technologies and systems should and should not be used. This policy is revised regularly by the CISO and reviewed and acknowledged by all Company employees in conjunction with annual cybersecurity training. The Company also has a Systems Security Policy in place, which outlines the requirements for system configuration and administration of systems within the Company, and includes steps for reporting cybersecurity incidents and keeping senior management and other key stakeholders informed and involved as appropriate.
With respect to incident response, we have adopted an Incident Response Playbook that applies in the event of a cybersecurity threat or incident (an “IRP”) to provide a standardized framework for responding to security incidents, including malware, hacking, data breach (including third-party data breach), and other types of vulnerabilities. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, and provides triage workflows for individuals to follow. Our incident response process is generally based on the NIST framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services requiring access to secure Company information, and to all devices and network services that are owned or managed by the Company. Our incident response team includes our CISO and the information security team, along with various business units, as applicable, and undergoes periodic training which includes exercises on monitoring and detection tools.
Security incidents are reviewed by the CISO and the information security team as soon as they are discovered or reported. The initial review of a security incident is conducted immediately, in order to appropriately determine the severity and urgency of the event. Key stakeholders and any technical owners of the impacted systems or processes are included in the incident review process and are brought in immediately in the case of potentially critical incidents. All phases of the review process are led by the CISO or another member of the security team, as appropriate.
We perform regular vulnerability scanning of our systems in order to ensure appropriate security controls are in place and function in accordance with established policies. We also have ongoing engagements with security consultants and other third parties as required to assist with assessing, identifying, and managing cybersecurity risks. These vendors help us with annual penetration testing and other items as needed. We have a robust internal controls framework and process and issue annual SOC 1 Type 2 reports covering our DV+, Streaming, and SpringServe platforms. In addition to our internal audit team, we have a dedicated compliance manager within the engineering department who helps ensure compliance with our control framework.
As detailed elsewhere in this Annual Report on Form 10-K, we also rely on information technology and third-party vendors to support our operations, including our secure processing of personal, confidential, proprietary and other types of information. We use state of the art systems with respect to the type of information processed, and employ processes designed to oversee, identify, and reduce the potential impact of a security incident with a third-party vendor or customer or otherwise implicating the third-party technology and systems we use. Despite ongoing efforts to continue improvement of our and our vendors’ ability to protect against cyber-attacks, we may not be able to protect all information systems. Any incidents may lead to reputational harm, revenue and client loss, legal actions, statutory penalties, among other consequences.
38

Although we maintain a robust cybersecurity program, due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. While we are not aware of having experienced any material cybersecurity threats or incidents, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. To mitigate against such risks, the company carries information security risk insurance that provides protection against potential losses arising from a cybersecurity incident. Refer to Item 1A. "Risk Factors" for additional information related to cybersecurity risks and the impact they may have on our operations.
39