TechTarget Inc - (TTGT)
10-K Filing Date: February 28, 2024
Cybersecurity Risk Management and Strategy
As is the case for all companies in our industry or with a significant digital presence, we are periodically subject to cyberattacks and other cyber incidents and, therefore, cybersecurity is an integral component of our overall enterprise information security program. We have adopted a multi-layered framework to secure our networks, systems, devices, products and services while also assessing, identifying, and managing cybersecurity risks. That framework is designed to help protect our information assets, operations, and resources from internal and external cyber threats by understanding and seeking to mitigate risks while ensuring business resiliency from unauthorized access or attack. Our cybersecurity policies, standards, and procedures include security risk assessments for high priority systems, third party compliance assessments for external vendors and suppliers, and incident management and breach response plans. which are influenced by, and periodically assessed against, recognized cybersecurity frameworks. Our incident management policy is designed to help prevent, manage, and coordinate our response to, and recovery from, potential and confirmed cybersecurity incidents and includes processes to triage, assess the severity of, escalate, contain, investigate and remediate incidents, as well as comply with applicable legal obligations.
We seek to enhance our policies and practices to protect our platforms, adapt to changes in regulations, identify potential and emerging security risks and develop mitigation strategies for those risks. For example, we conduct regular risk assessments at planned intervals for high priority systems and/or applications to identify and analyze threats and vulnerabilities, identify controls, identify risk ratings and likelihood and level of potential impact, and provide recommendations for risk reduction, mitigation, acceptance, and avoidance. As part of our overall risk mitigation strategy, we also maintain cyber liability insurance coverage; however, such insurance coverage may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related breaches.
We regularly engage external parties, including consultants, auditors, and cybersecurity service providers to enhance our cybersecurity oversight. For example, we maintain an ISO 27001 certification for our BrightTALK platform and obtained a SOC 2, Type II report for our Priority Engine platform. These third-party assessments are evaluated and updated regularly. Additionally, we utilize various external parties and tools to assist us with annual penetration testing, cybersecurity and related training, vulnerability and patch management, threat detection and response, and information technology general controls.
In order to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers, we have a third-party risk management and assessment program designed to help protect against the misuse of information technology, data, and systems by third parties and business partners generally requiring third-party service providers to complete a security risk assessment, with certain high priority third-party providers undergoing annual risk assessments to determine if they have experienced any changes that could impact their security risk. If any critical risks are identified, we may perform a compliance audit of the third-party to further document findings and to recommend corrective actions.
As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, as discussed under "Item 1A. Risk Factors," specifically the risk titled “The loss of personal, confidential, and/or proprietary information due to our cybersecurity systems or the systems of our customers, vendors, or partners being breached could cause us to incur significant legal and financial exposure and liability, and materially adversely affect our business, operating results and reputation,” the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well our controls are designed or implemented, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.
Cybersecurity Governance and Oversight
Our Board of Directors provides oversight over cybersecurity risk. Our Board of Directors receives and provides feedback on periodic updates from management regarding cybersecurity and is notified between such updates regarding significant new cybersecurity incidents, if any. Our Board of Directors also receives periodic briefings on cyber-related issues and accomplishments including, among
42
other things, reviewing key elements of our cybersecurity program, ongoing training initiatives and awareness programs, occurrence of any incidents, and updates regarding third-party certifications and assessments.
We have a Privacy and Security Executive Taskforce (“Taskforce”) consisting of executive-level leaders that meets periodically to, among other things, review global trends in privacy, security, and compliance, identify key projects and resource needs, and review operational privacy and security statistics and metrics. Additionally, our Chief Technology Officer (“CTO”) is a member of the Taskforce and manages and oversees a team (the “IT Security Team”) that is responsible for leading company-wide cybersecurity efforts. The IT Security Team works with various business units and departments, including legal, product development, and operations, to help set standards, policies, and processes. Our CTO along with key members of his IT Security Team have worked in the information security field for many years and are actively involved in our cybersecurity efforts. Our internal audit function also provides independent testing on aspects of the operations of our cybersecurity program and the supporting control framework and reports the results of these audits in reports to our Audit Committee.
In an effort to deter and detect cyber threats, we periodically provide all full- and part-time employees with a data privacy, cybersecurity, and incident response training and compliance program, which covers timely and relevant topics, including phishing, malware, password security, confidential data protection, asset use and mobile security, and educates all employees on the importance of reporting all incidents immediately to the company’s dedicated Incident Management Team. We also use technology-based tools to mitigate cybersecurity risks to bolster our employee based cybersecurity programs.