IZEA Worldwide, Inc. - (IZEA)

10-K Filing Date: April 01, 2024
ITEM 1C - CYBERSECURITY

Risk Management and Strategy

As part of our enterprise risk assessment function, which is led jointly by IZEA’s President & COO; our Director, Systems & Security; and our Senior Development Operations (DevOps) leader, we have implemented processes to assess, identify and manage the material risks facing the company, including from cyber threats. Our enterprise risk assessment function is part of our overall risk management processes. Our cybersecurity program is built upon internationally recognized frameworks, such as SOC-2 compliance for systems and organization controls related to our software development, and maps to standards published by Center for Internet Security (CIS) for our day to day operational stance. We believe that our processes provide us with a comprehensive assessment of potential cyber threats. We conduct regular scans, penetration tests, and vulnerability assessments to identify any potential threats or vulnerabilities in our systems. Our processes to assess, identify and manage the material risks from cyber threats include the risks arising from threats associated with third party service providers, including cloud-based platforms.
We have developed a robust cyber crisis response plan which provides a documented framework for handling high severity security incidents and facilitates coordination across multiple parts of the company. Our incident response team constantly monitors threat intelligence feeds, handles vulnerability management and responds to incidents. In addition, we routinely perform training, simulations, and drills across company personnel.
Internally, we have a security awareness program which includes training that reinforces our information technology and security policies, standards and practices, and we require that our employees comply with these policies. The security awareness program offers training on how to identify potential cybersecurity risks and protect our resources and information. This training is mandatory for all employees on an annual basis, and it is supplemented by testing initiatives, including periodic phishing tests. We also provide specialized security training for certain employee roles, such as application developers. Finally, our privacy program requires all employees to take periodic awareness training on data privacy. This training includes information about confidentiality and security, as well as responding to unauthorized access to or use of information.
From time to time, we engage third-party service providers to enhance our risk mitigation efforts. For instance, we have routinely engaged an independent cybersecurity advisor to lead a cybersecurity crisis simulation exercise that has been used by our senior leaders to prepare for a possible cyber crisis. In addition, we have engaged: 7 Layer Solutions, a security auditor and advisor in systems administration and penetration testing; A-LIGN, a systems auditor and advisor for cybersecurity
21

and compliance; Grant Thornton, an IT Systems auditor and assurance vendor; and KnowBe4, an email security and cybersecurity training partner. We also purchase insurance to protect us against the risk of cybersecurity breaches. Our General Counsel and CFO are responsible for our insurance programs and review our cyber insurance policies on an annual basis and assess whether we have appropriate coverage.

To date, risks from cybersecurity threats have not previously materially affected us, and we currently do not expect that the risks from cybersecurity threats are reasonably likely to materially affect us, including our business, strategy, results of operations or financial condition. However, as discussed more fully under “Item 1A – Risk Factors”, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security breaches of these types, including security threats that may result from third parties improperly employing AI technologies, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.
Governance
Role of Management
IZEA’s President & COO, our Director, Systems & Security, and our Senior Development Operations (DevOps) leader, are jointly responsible for the day-to-day management of our cybersecurity risks. We have established a Security Council, which includes our President & COO; Director, Systems & Security; Senior Manager, Systems & Security; Chief Financial Officer; General Counsel and other senior officers, that meets on at least a quarterly basis to review cybersecurity and information security matters. The Security Council has primary management oversight responsibility for assessing and managing information security, fraud, vendor, data protection and privacy, and cybersecurity risks.
We have a security incident response framework in place. We use this incident response framework as part of the process we employ to keep our management and Board of Directors informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. The framework is a set of coordinated procedures and tasks that our incident response team, under the direction of our President & COO, executes with the goal of ensuring timely and accurate resolution of cybersecurity incidents. Our cybersecurity framework includes regular compliance assessments with our policies and standards and applicable state and federal statutes and regulations. In addition, we validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits.
Our President & COO and our Director, Systems & Security each have extensive experience in the information technology area. In particular, our Director, Systems & Security has over twenty years of professional experience in the information security area, including as a result of his service as a director of security, a security architect, and a software security engineer at companies such as Squarespace, Verizon Media (Oath), Tumblr, Bridgewater Associates and EMC.
Role of the Board of Directors
The Audit Committee of the Board of Directors is responsible for the primary oversight of our information security programs, including relating to cybersecurity. The Audit Committee receives regular reports from our President & COO on, among other things, our cyber risks and threats, the status of projects to strengthen our information security systems, assessments of our security program, and our views of the emerging threat landscape. Our President & COO is responsible for reporting to the Committee on our company-wide enterprise risk assessment, and that assessment also includes an evaluation of cyber risks and threats. The Chair of the Audit Committee has the opportunity to report to the Board on cybersecurity risks and other matters reviewed by the Committee. Furthermore, all Board members are provided with updates on key points discussed during each Audit Committee meeting and may access the materials for each Audit Committee meeting.
As a matter of process, the Audit Committee annually reviews, and recommends to the Board its approval of, our information security policy and information security program. Furthermore, on an annual basis, the Board reviews and discusses our technology strategy with our President & COO and approves our technology strategic plan.