Trade Desk, Inc. - (TTD)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Management has implemented a program to protect the confidentiality, integrity and availability of our information systems and to identify, assess, manage and report on material risks from cybersecurity threats. The program is managed by an in-house cybersecurity team, and the program includes risk management and mitigation processes, such as malware protection, access management, technical vulnerability management and security incident response among other processes and technical safeguards; communication with third-party providers of services regarding their information security practices and disclosed cybersecurity incidents; the use of third-party service providers, as appropriate, for monitoring and mitigating cybersecurity threats and conducting penetration tests; education and training across the organization to mitigate cybersecurity threats to employees and our company; the maintenance of cybersecurity breach insurance; and disaster recovery and business continuity arrangements to minimize the potential impact to our operations in the event of a cybersecurity incident.
The cybersecurity program is aligned with our enterprise risk framework. Members of our cybersecurity, enterprise risk management, finance and legal teams collaboratively assess the degree of risk to our business and operations from cybersecurity threats and incidents to develop incident response plans and risk mitigation practices. Risk is assessed across the potential technological, operational, financial, legal, regulatory and reputational impacts to our company, including the materiality of cybersecurity incidents pursuant to SEC disclosure rules.
Although we follow guidance from various standards related to cybersecurity and engage third-party attestation services to test controls relevant to our business, this does not imply that we meet any particular technical standards, specifications or requirements.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, financial condition or results of operations. However, we remain subject to unknown or future cybersecurity threats that could materially affect us, including our business strategy, financial condition or results of operations. See “Item 1A. Risk Factors” for a discussion of various risks related to cybersecurity.
Governance
Our board of directors has delegated oversight of all risk assessment and risk management activities to the audit committee. The audit committee provides strategic oversight of management’s risk management practices, including cybersecurity. Regular and ad hoc reporting from management, such as the executive risk committee (as described below), to the audit committee may include information about the prevention, detection, mitigation and remediation of material cybersecurity incidents, if any.
Our executive risk committee, which is comprised of our Chief Financial Officer, Chief Legal Officer and Senior Vice President, Technology, oversees the cybersecurity risk assessment and mitigation activities and receives regular reports from our cybersecurity team regarding the nature, timing and extent of incidents that occur across the Company’s internal environments and those disclosed by third-party service providers, if applicable. Our cybersecurity team is comprised of technically skilled professionals with computer science, cybersecurity assurance or other cybersecurity degrees and professional experience in monitoring, detecting, mitigating and preventing cybersecurity incidents and testing cybersecurity processes. The executive risk committee has expertise in the pertinent financial, legal, regulatory, operational and technical areas to assess the impact of cybersecurity risks and incidents across the business and oversee our response to and disclosure of such incidents. In particular, our Senior Vice President, Technology brings decades of technical experience to our executive risk committee along with technical education in computer engineering.
40