Thryv Holdings, Inc. - (THRY)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity

Corporate Governance

Our information security program is managed by a dedicated Vice President of Information Technology, whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The Vice President of Information Technology also provides quarterly reports to the Audit Committee of our Board of Directors (the “Audit Committee”). The Vice President of Information Technology also provides reports to our Chief Executive Officer and other members of our senior management as appropriate. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the current threat landscape. Our program is regularly evaluated by internal and external experts, with the results of those reviews reported quarterly to the Audit Committee and senior management. We also actively engage with key vendors and industry participants as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures.

Risk Management and Strategy

We have established processes and policies for assessing, identifying and remediating material risks posed by cybersecurity threats. Our processes and policies are based upon the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Our processes are focused on: (i) effecting organizational education on how to manage cybersecurity risks, (ii) implementing safeguards to protect our systems, (iii) detecting the occurrence of a cybersecurity incident, (iv) responding to a cybersecurity incident and (v) recovering from a cybersecurity incident. Additionally, we have a cybersecurity incident response plan including specific responsive protocols administered by an incident response team, led by our Vice President of Information Technology and comprised of other members of management.

As a part of our organizational education on risk management, we require that employees annually complete information and privacy training. We also administer employee awareness training around phishing, malware, and other cyber risks on an ad hoc basis as necessary to enhance our protection efforts. We actively engage with key vendors and industry participants as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. For example, our incident response team conducts periodic tabletop exercises with outside consultants to ensure adherence to our cybersecurity incident response plan. Additionally, we maintain insurance coverage for cybersecurity insurance as part of our overall insurance portfolio.

As of December 31, 2023, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected the Company, our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see “Risk Factors - An information security breach of our systems or our data centers operated by third-party providers, the loss of, or unauthorized access to, client information, or a system disruption could have a material adverse effect on our business, market brand, financial condition and results of operations.”

39