BRIGHTCOVE INC - (BCOV)

10-K Filing Date: February 22, 2024
Item 1C.

Cybersecurity

Processes for Assessing, Identifying, and Managing Material Risks from Cybersecurity Threats; Board of Directors Oversight of Risks from Cybersecurity Threats and Management’s Role and Expertise in Assessing and Managing Material Risks from Cybersecurity Threats.

Cyber Risk Management and Strategy

Our Board and management team recognize the importance of assessing, identifying, and managing risks from cybersecurity threats. Our process for assessing, identifying and managing risks from cybersecurity threats is informed by

32


 

industry standards and includes internal cybersecurity risk assessments across our environment, and is supported by cybersecurity technologies, including automated tools, designed to monitor, identify, and address cybersecurity risks. We also have a process to assess and review the cybersecurity practices of new third-party vendors and service providers, including through established vendor requirements and risk assessments. This process also includes an annual re-assessment of critical third-party vendors and service providers.

This risk management program addresses, for example, risks identified by internal audits and assessments, external testing, threat intelligence providers, internal stakeholders, vulnerability management programs, and security tools and alerting. An internal business security team manages and maintains remediation strategies for identified risks and reports on them regularly to senior leadership.

We also regularly monitor the systems that contain personal data for internal and external threats to ensure confidentiality, availability, and integrity, and our incident response program contains controls to identify threats and alert us to suspicious activity. Internally, we prioritize proactivity as a critical component of our security practices and require that Brightcove employees participate in security training at least annually. We also distribute up-to-date information about the cybersecurity environment to increase awareness among employees. Additionally, as a public company, we evaluate our internal control over financial reporting in connection with Section 404 of the Sarbanes-Oxley Act, and our independent registered public accounting firm is required to attest to the effectiveness of our internal control over financial reporting.

Although risks from cybersecurity threats have to date not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats and security incidents relating to our and our third party vendors’ information systems. For more information, please see the section titled “Risk Factors” included under Item 1A of this Annual Report on Form 10-K.

Governance Related to Cybersecurity Risks

Brightcove’s cyber risk management program, incident response process, and related operations are directed by the Vice President of Business Security (“VP, Business Security”). Currently, the VP, Business Security role is held by an individual who has over ten years of experience in cybersecurity, infrastructure, and cloud security and holds CISA, CISM, CIPM, and CDPSE certifications. The VP, Business Security reports to the Chief Legal Officer and is a member of the Brightcove Business Security working group, which has overall responsibility for establishing and implementing Brightcove’s cybersecurity strategy. Other members of the Brightcove Business Security working group include representatives from the product, security engineering, information technology, enterprise architecture and legal teams, who collectively have experience in cybersecurity, risk management, and compliance.

The Board is involved in the oversight of risks that could affect the company and receives updates at least quarterly from senior management, and periodically from outside advisors, regarding the various risks that the company faces. The audit committee assists the Board in its review and assessment of our cybersecurity, data privacy, and data security policies, practices, and procedures protecting our information technology systems, data, products, and services across all business functions, and reports its findings to the Board.

The audit committee has oversight over cybersecurity and related risks and concerns, and is responsible for interfacing with management and discussing with management the company’s principal risk exposures and the steps management has taken to monitor and control risk exposures, including cybersecurity and data protection policies. The audit committee is also responsible for, and reports to the Board on, (i) obtaining and reviewing reports on data management, security initiatives, and significant existing and emerging cybersecurity risks, including material cybersecurity incidents, (ii) assessing the impact on Brightcove and its stakeholders of any significant cybersecurity incident, and (iii) any disclosure obligations arising from any such incidents. The VP, Business Security reports to the audit committee to review the organizational cybersecurity program, risks, and status through quarterly updates and biannual meetings.

 

© 2024 Material-Incidents. All rights reserved.