EverQuote, Inc. - (EVER)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY

 

Identifying and assessing cybersecurity risk is integrated into our overall enterprise risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, internal IT audits, IT security, governance, and risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct privacy and cybersecurity reviews of systems, applications, and applicable data policies; perform penetration testing using external third-party tools and techniques; conduct employee training; monitor emerging laws and regulations related to data protection and information security; and implement appropriate changes. We have implemented incident response and breach management processes that are overseen by leaders from our information security, engineering, compliance and legal teams regarding matters of cybersecurity. Security threats are evaluated, ranked by severity and prioritized for response and remediation. Potential data security incidents are investigated to determine operational and business impact, applicability of regulatory or contractual data privacy requirements, including state data breach notification statutes, and materiality We conduct tabletop exercises to simulate responses to cybersecurity incidents and collaborate with technical and business stakeholders across our business units to form detection, mitigation and remediation strategies. We also maintain third party security procedures to identify, prioritize, assess, mitigate and remediate third party risks; however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful.

 

Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our members) and other data, confidential information or intellectual property. However, to date these incidents have not had a material impact on our service, systems or business. Any significant disruption to our service or access to our systems could result in a loss of insurance provider customers, third-party publishers, other service providers, or consumer referrals and adversely affect our business and results of operation. Further, a penetration of our systems or a third-party’s systems or misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations. See "Risk Factors —Our business could be materially and adversely affected by a cybersecurity breach or other attack involving our computer systems or our third-party service providers.”

The Chief Information Officer, or CIO, leads our information security organization responsible for overseeing EverQuote’s information security program. Our CIO has over 30 years of industry experience managing risks or advising on cybersecurity matters. Team members who support our information security program have relevant educational and industry experience, including holding similar positions at large technology companies. The teams provide regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings.

The Board oversees our enterprise risk management processes directly and through its Audit Committee. The Audit Committee of the Board oversees our cybersecurity risk and receives regular reports from our CIO on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance.