Bright Mountain Media, Inc. - (BMTM)

10-K Filing Date: April 01, 2024
ITEM 1C. CYBERSECURITY
Risk management and strategy

Cybersecurity is a critical aspect of our operations, and our board of directors and management prioritize safeguarding our digital assets and ensuring the integrity and confidentiality of sensitive information to protect our assets, customers, and stakeholders. Our cybersecurity program is managed by our Global IT Director and overseen by our executive leadership team and board of directors. It encompasses risk management, a management framework, governance, education and training across the organization, SOC2 compliance, and an incident response protocol.

We employ a proactive risk management strategy to identify, assess, track, and mitigate cyber security risks. Our risk assessment process involves continuous monitoring of our IT infrastructure, external vulnerability assessments, and reviews of our third-party relationships. We prioritize risks based on their potential impact on our operations and implement targeted controls and safeguards to mitigate identified threats.

Our Cybersecurity management framework is aligned with the Cybersecurity Framework (CSF) developed by the National Institute of Standards and Technology (NIST) and COBIT 2019. This framework provides a structured approach to managing our policies, standards, and processes, improving our cyber security posture. Additionally, we maintain SOC2 compliance, demonstrating our adherence to industry-recognized security standards and best practices.

Our board of directors and our executive leadership team, through our Information Security Executive Charter, oversee our risk management program, of which cybersecurity represents an important component. Our Global IT Director is responsible for managing our risk management program, including our cybersecurity strategies and initiatives and the periodic review of our policies, standards, and risks. Our Global IT Director has over 25 years of experience in technology and security.

Our executive leadership approves cyber security strategies, initiatives, and investments to ensure alignment with business objectives and risk tolerance.

In the event of a cyber security incident, we would follow an incident response protocol that includes procedures for incident tracking, escalation, containment, eradication, and recovery. As part of our incident response process, we would
26

Table of Contents
adhere to SEC reporting requirements related to cyber security incidents, providing timely and transparent disclosures as necessary.

Cybersecurity threats, and their evolving nature, pose a risk to us and our strategy, results of operations, and financial condition in the future. Our risk factors include further detail about the cybersecurity risks we face. To date, cybersecurity threats or incidents have not materially affected us or our operations. Our focus on risk management, governance, compliance, and incident response is intended to mitigate the potential harm posed by evolving cyber threats and challenges.