Fluent, Inc. - (FLNT)

10-K Filing Date: April 02, 2024
Item 1C. Cybersecurity.

 

We have made cybersecurity and the protection of our customer's data a top priority. The critical areas that we consider for our evolving cybersecurity program include access control; data encryption; SSDLC/change management; BCP/DRP; endpoint security; patch management; vulnerability assessments; compliance management; data privacy; incident response; monitoring, alerting, and lodging; employee training; and cyber insurance.

 

Risk Management & Strategy

 

Our cyber risk management program is designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. To help protect our company from a major cybersecurity incident that could have a material impact on operations or our financial results, we have implemented policies, procedures, programs and controls, including investments in technology that focus on cybersecurity incident prevention, identification and mitigation. The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology ("NIST"). We execute an NIST 800-53 review annually and use the results of existing cyber risks to prioritize projects designed to address these gaps and create a go-forward strategy. Our internal and external auditors review our IT and cybersecurity controls annually for design and operating effectiveness.

 

Governance

 

Our Cybersecurity Program is governed by the Company's IT and Legal and Compliance teams. Our Chief Technology Officer ("CTO") has over 20 years of experience in marketing technology and analytics. Our Vice President of IT Governance, Risk and Compliance ("VP of IT") has over 20 years of experience in IT internal and external audits, IT consulting, and governance, risk, and compliance. Our General Counsels regularly coordinates with the IT team on data security and compliance issues. The CTO and General Counsels report directly to the Chief Executive Officer ("CEO"), so any material issues are raised to CEO, and a status of key cybersecurity projects and any material breaches is provided quarterly to the Board's Audit Committee, which includes both an internal and external audit.

 

Incident Disclosure and Materiality

 

Our incident management procedures include identification, evaluation, definition, and escalation based on the determination of materiality. This determination involves the Company's IT and Legal and Compliance teams, executive officers, and cyber insurance provider. Breach notifications and escalation to the Audit Committee would also be based on the materiality determination. Each quarter, the VP of IT provides an update on key cybersecurity projects and any material breaches at the quarterly Audit Committee meeting, at which both the internal and external auditors are present.

 

While we did not experience a material cybersecurity incident during the year ended December 31, 2023, the scope and impact of any future incident cannot be predicted. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, results of operations, or financial condition. See Item 1A. "Risk Factors" for more information on our cybersecurity-related risks.