Vimeo, Inc. - (VMEO)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
We maintain a comprehensive Information Security Management System (“ISMS”) program, which is led by a dedicated Chief Information Security Officer (“CISO”), who joined the Company in April 2023 and has 25 years of extensive technical and SaaS experience, having served in roles of increasing responsibility relating to information security at other large public companies. Our CISO has undertaken a comprehensive review of our information security systems and processes, and as a result, we have made significant improvements to our cybersecurity controls and procedures over the last eight months, and expect to see additional incremental improvement in our cybersecurity risk management over the next six to twelve months.

Under the CISO, the Information Security Team is responsible for defining and implementing the Company’s cybersecurity strategy, policy, standards, architecture, and processes. The Information Security Team oversees the delivery of network, cloud, email and application security, security monitoring, penetration testing, cybersecurity training and incident response. Our ISMS program has been developed based on industry standards, including those published by the International Organization for Standardization and the National Institute of Standards and Technology. Through our ISMS program, we have established a comprehensive collection of policies and standard operating procedures to guide our cybersecurity strategy, which includes an Information Security Policy applicable to all Vimeo personnel, as well as a Supplier Information Security Policy for our third-party software vendors, both of which set forth cybersecurity standards, controls, and training requirements designed to protect corporate and customer data, whether it is processed by Vimeo or a service provider. We also conduct regular workforce training to instruct employees to identify cybersecurity concerns and take the appropriate action.

Our cybersecurity governance framework includes oversight by the Audit Committee of our Board of Directors, which reviews the effectiveness of the Company’s management of cybersecurity, data privacy and other data- and technology-related risks, controls and procedures. The CISO reports regularly to our Audit Committee, as well as our Chief Executive Officer and other members of our senior management as appropriate. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. Our ISMS program is regularly evaluated by external experts with the results of those reviews reported to senior management and the Board. The Audit Committee, and as appropriate, the Board, also receives prompt and timely information regarding any high severity cybersecurity incident, as well as ongoing updates regarding any such incident until it has been addressed.

As of the date of this report, we are not aware of any material risks resulting from any previously reported cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. We discuss the risks relating to cybersecurity threats and their potential impact on our business more fully in “Risk Factors” in Part I, Item 1A herein. Continuously enhancing our information security controls to meet the evolving cybersecurity threat landscape remains a top priority.