AppLovin Corp - (APP)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Risk Management and Strategy.
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on, or conducted through, our
40

Table of Contents
information systems, that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
We conduct periodic risk assessments to identify potential cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. The frequency of these risk assessments is based on the potential risk and criticality to our business systems. The risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential impact and damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we evaluate how to reasonably address identified gaps in existing safeguards to minimize identified risks and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high level personnel, including our Head of Information Security and Compliance, to manage the risk assessment and mitigation process.
As part of our overall risk management system, we monitor and test our safeguards, in collaboration with human resources, IT, and management. Personnel at all levels and departments are made aware of our cybersecurity policies and educated about cybersecurity best practices through annual company-wide cybersecurity training, regular phishing simulations, and role-based training, as appropriate.
We engage consultants and third parties in connection with our risk assessment processes. These providers assist us in evaluating our cybersecurity program, provide support for threat monitoring and detection, and scan for vulnerabilities and other related security events which may pose a risk to the company.
We utilize our third-party risk management program to evaluate the cybersecurity posture of our third-party service providers based on risk, including data and systems access. These processes assist us in identifying and mitigating risks from cybersecurity threats associated with our use of third-party service providers. Where appropriate, we contractually require third-party service providers to implement and maintain appropriate and reasonable security measures in connection with their work with us and consistent with applicable laws, and to promptly report any breach of their security measures or systems that may affect our company.
To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our company, including our business strategy, results of operations, or financial condition. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, are reasonably likely to materially affect our company in the future, including our business strategy, results of operations, or financial condition, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K, including the risk factor entitled “Security breaches, improper access to or disclosure of our data or user data, other hacking and phishing attacks on our systems, or other cyber incidents could harm our reputation and adversely affect our business.”
Governance
One of the key functions of our Board of Directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board of Directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board of Directors administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee.
Our Head of Information Security and Compliance and the InfoSec team are primarily responsible for assessing and managing our material risks from cybersecurity threats. Our Head of Information Security and Compliance has over two decades of experience leading cybersecurity, data privacy and risk management programs for large, multi-national organizations and Fortune 500 companies, and CISSP and CRISC certifications. Our InfoSec management team is comprised of qualified cybersecurity professionals whose collective expertise includes penetration testing, cyber threat intelligence, data privacy, information security, and risk and compliance in the healthcare, financial, and technology industries, with certifications such as CISA, CRISC, CISSP, CCSP, CIPP, GIAC, and OSCP.
Our Head of Information Security and Compliance and the InfoSec Team, in partnership with our Legal Privacy Team, oversee our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. Our Head of Information Security and Compliance and the InfoSec Team are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through their implementation and oversight of safeguards, including through the use of automated tools and manual processes, like security event monitoring, vulnerability scanning, threat analytics, security awareness and training, endpoint security, bug bounty program, offensive security testing, and third-party risk and monitoring.
Our Head of Information Security and Compliance provides quarterly and as needed briefings to the Audit Committee regarding our company’s cybersecurity program and information security risks, including any recent AppLovin-related cybersecurity incidents and possible responses, internal and third-party cybersecurity systems testing, third-party risk management, and other topics related to cybersecurity. The Audit Committee provides updates to the Board on such reports. The Company has adopted an escalation process for review of cybersecurity incidents, based on severity level, by an internal cyber task force with oversight by the Audit Committee. In addition, our Head of Information Security and Compliance provides annual briefings to the Board on our cybersecurity program and risks.
41

Table of Contents