DoubleVerify Holdings, Inc. - (DV)
10-K Filing Date: February 28, 2024
We recognize the importance of assessing, identifying, and managing risks associated with cybersecurity threats. In furtherance thereof, we have made information security and protection a strategic priority. We have implemented multi-layered organizational, technical, and administrative measures which we continuously advance and proactively invest in.
Cybersecurity Risk Management and Strategy
We have a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program is integrated into and serves as an important component of our overall enterprise risk management program, and utilizes cross-functional teams to proactively assess risk and ensure that security controls are built-in prior to deployment.
Our cyber risk management program is informed by recognized standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework (“CSF”), the International Organization Standardization (“ISO”) 27001:2013 Information Security Management System Requirements and the AICPA Trust Services Criteria, which are independently validated and attested via our SOC 2 Type II report.
Our cybersecurity risk management program includes:
● | risk assessments designed to assess, identify and manage material cybersecurity risks to our critical systems, information, solutions, and our broader IT environment; |
● | an incident response plan; |
● | vulnerability management, penetration testing, tabletop exercises and ongoing threat intelligence; |
● | the use of third-parties, where appropriate, to engage in penetration testing, conduct audits of our systems and engage in monitoring; |
● | enterprise-wide cybersecurity awareness training; and |
● | a third-party risk management process for vendors. |
43
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of focus for the Board of Directors of DoubleVerify (the “Board”) and management. Our Board as a whole has responsibility for overseeing our risk management program. The Board exercises this oversight responsibility directly and through its committees. The Board has primary responsibility for evaluating strategic and operational risk management, including cybersecurity risk management, and has delegated to the Audit Committee of the Board (the “Audit Committee”) oversight of the adequacy and effectiveness of the Company’s information and technology security policies as well as the internal controls regarding information and technology security, cybersecurity and privacy related areas. The Audit Committee also oversees management’s implementation of our cybersecurity risk management program.
The Audit Committee receives reports from management at least quarterly on a broad range of relevant topics, which include cybersecurity risks attendant to our business, recent developments in the cybersecurity landscape and practice, third-party and independent reviews, benchmarking and resource allocation, among other topics. In addition, management updates the Audit Committee regarding material or potentially material cybersecurity incidents. The Audit Committee provides reports to the full Board regarding these and other matters at least quarterly. The full Board also receives periodic briefings from management on our information security organization and risk management programs.
The Company’s Chief Information Security Officer reports to our Chief Information Officer and leads the Company’s cybersecurity team. This team is principally responsible for managing the Company’s cybersecurity risk management program, in cross-functional partnership with business leaders across the Company, reporting cybersecurity risks and incidents, among other things, to the Audit Committee, and supervising both our internal cybersecurity personnel and our retained external cybersecurity consultants. Collectively, our cybersecurity team has decades of experience managing cybersecurity risk worldwide and members hold accreditations such as the Certified Information Systems Security Professional, Certified Ethical Hacker and Certified Information Security Manager certifications.
During the period covered by this Annual Report, we have not identified cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We recognize that we face a number of cybersecurity risks in connection with our business and that institutions like us, as well as our employees, service providers and other third parties on whom we rely have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of increasingly sophisticated cyber attacks. For more information about the cybersecurity risks we face, see the risk factor: “System failures, security breaches, cyberattacks or natural disasters could interrupt the operation of our platform and data centers and significantly harm our business, financial condition and results of operations” under the caption “Risk Factors” in this Annual Report on Form 10-K.