Shutterstock, Inc. - (SSTK)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
37
We recognize the importance of assessing, identifying and managing risks from cyber security threats, and our processes to manage risks from cybersecurity threats have been integrated into our overall risk management framework.
As a foundation of this approach, we have implemented a layered governance structure, and our privacy and cybersecurity risk management systems encompass policies, practices, and procedures for incident responses, information security and vendor management. In order to help develop these policies and procedures, we monitor the privacy and cybersecurity laws, regulations and guidance applicable to us in the regions where we do business including European Union General Data Protection Regulation (GDPR), UK Data Protection Law, the Brazilian General Data Protection Law (LGPD), the California Privacy Rights Act (CPRA) and other US state privacy laws, as well as proposed privacy and cybersecurity laws, regulations, guidance and emerging risks.
We annually undergo a Payment Card Industry (PCI) compliance certification process and obtain an attestation through a Qualified Security Assessor (QSA). We have an established bug bounty program and conduct penetration testing as needed to identify vulnerabilities for remediation. With respect to third party service providers, we obligate vendors to adhere to privacy and cybersecurity measures, perform risk assessments of vendors including their ability to protect data from unauthorized access.
As described in Item 1A “Risk Factors,” our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks, as we provide content licensing to customers in more than 150 countries and license content from contributors located in over 100 countries. Computer viruses, hackers, employee or vendor misconduct, and other external hazards could expose our information systems and those of our vendors to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our business including brand reputation, customer sales, legal impacts, and financial costs. While we have experienced cybersecurity incidents, to date, we have not experienced any material cybersecurity incidents.
The sophistication of cybersecurity threats, including through the use of artificial intelligence, continues to increase, and the controls and preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may be insufficient. In addition, new technology that could result in greater operational efficiency such as artificial intelligence, cloud computing, and machine learning may further expose our computer systems to the risk of cybersecurity incidents.
Governance
As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, including Board oversight, executive commitment and employee training. Our Audit Committee, comprised of independent directors from our Board, oversees the Board’s responsibilities relating to the operational (including information technology (IT) risks, business continuity and data security) risk affairs of the Company. Our Audit Committee is informed of such risks through quarterly reports from our group Chief Information Security Officer (CISO).
Our CISO, who has over 20 years of experience in cyber security and technology, oversees the implementation and compliance of our information security standards and mitigation of information security related risks. We also have management level committees and a cybersecurity incident team that support our processes to assess and manage cybersecurity risk as follows:
•Privacy is co-chaired by the CISO and Assistant General Counsel. They bring IT, cybersecurity, legal, compliance and other function cross-functional members together as needed throughout the year to consider emerging technologies, such as artificial intelligence and emerging cybersecurity and privacy risks; review cybersecurity and privacy regulations; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise.
•Our Technology Leadership Team, which includes our group Chief Technology Officer, CISO, Technology Vice Presidents, and members of executive leadership, oversees IT initiatives while considering cybersecurity risk mitigation with respect to these initiatives on a monthly cadence.
•Our Senior Leadership Team including IT, operations, risk, legal and compliance leaders across business segments, meet quarterly to manage risks from matters related to business continuity including risks posed by cybersecurity threats, and implements controls to mitigate such operational risks. Among other processes, these leaders review the Company’s programs and processes related to information security, third party risk, vendor management, facilities, unplanned downtime, business disruption, business continuity and disaster recovery.
•The Crisis Incident Management Team, which includes senior executives across the Company, is alerted as appropriate to cybersecurity incidents, natural disasters and business outages. Annually, this team assesses its communication plan
38
to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss the event and response options.
Each of these committees provides summary reports on their activities, which the CISO communicates as appropriate to the Audit Committee.
At the employee level, we maintain an experienced information technology team who are tasked with implementing our privacy and cybersecurity program and support the CISO in carrying out reporting, security and mitigation functions. We also hold annual employee trainings on privacy and cybersecurity, records and information management, and generally seek to promote awareness of cybersecurity risk through communication and education of our employee population.