LiveRamp Holdings, Inc. - (RAMP)
10-K Filing Date: May 22, 2024
Item 1C. Cybersecurity
Our customers’ and partners’ trust is crucial to our business; as such, a cybersecurity incident impacting the confidentiality, integrity, or availability of LiveRamp’s systems or the data we process may have a significant impact on our strategy, operations, and financials. Direct impacts may include fees, penalties, or loss of customer revenue. Furthermore, a material cybersecurity incident could harm our business and reputation and diminish our competitive position.
In order to mitigate cybersecurity risk, LiveRamp maintains a security program based on widely known and accepted industry standards, including NIST CSF, ISO 27001, and SOC 2. Aligning to these standards allows our program to adjust to changing conditions such as new technology, industry best practices, or organizational risk tolerance.
Security Governance
Oversight of our security program starts at the Board level. On an annual basis, the enterprise risk team reports to the full Board regarding the top ten enterprise risks, including cybersecurity. Additionally, on a quarterly basis, the Audit Committee receives presentations by LiveRamp security, highlighting any risks, initiatives, and/or relevant industry trends.
LiveRamp maintains a Security Charter which establishes the overall security program, appoints responsibility and authority to the Chief Information Security Officer (CISO), and establishes a Security Action Committee (SAC) to provide leadership and oversight. LiveRamp’s CISO has over 20 years of experience as the Company’s security leader, and maintains several industry standard security certifications. The members of the security leadership team, who report directly to the CISO, each have at least a decade of experience relevant to their area of responsibility.
The SAC includes leadership across our security, enterprise risk management, internal audit, engineering, product, data ethics, legal, and commercial teams. The SAC is responsible for reviewing and approving major updates to LiveRamp’s security policies and standards, reviewing and recommending actions related to exceptions to the security program, ensuring that the security program is in alignment with business objectives, ensuring that the organization has appropriate training and awareness related to security, and providing leadership and support for the security program.
Cyber security is also a responsibility of all LiveRamp employees. All employees must undergo annual security awareness training, which covers topics including, but not limited to, phishing, incident reporting, insider threat, and LiveRamp's Security and Acceptable Use policies.
Security Risk Management
LiveRamp also maintains a security risk management program overseen by our CISO and aligned with the Company’s overall Enterprise Risk Management strategy. The security risk management program includes processes for consistently identifying, classifying, analyzing, and documenting risk. Throughout the year, LiveRamp’s security team conducts risk assessments focused on a particular product or compliance scope. Risks are documented and communicated to relevant stakeholders.
In addition to internal teams and resources, LiveRamp leverages a variety of third parties in support of our security risk management efforts. Third-party managed services are used to support functions including our Security Operations Center, forensic incident response, and incident response tabletop exercises. Third-party providers are also utilized for penetration testing and for a bug bounty program. Third-party tooling is utilized in support of functions including threat intelligence, security logging, security information and event management (SIEM), vulnerability scanning, email protection, security awareness training, secure development training, cloud posture management, secret management, identity and access management, and anti-malware. Furthermore, following the
32
shared responsibility model with our cloud service providers, we rely on their implementation of certain security controls, such as physical security.
External auditors regularly review LiveRamp’s security posture. We engage with auditors directly on an annual basis to assess controls specific to a particular scope and compliance standard (e.g. SOC 2 or ISO 27001). External auditors also perform assessments on behalf of our customers to validate our compliance with specific customer requirements. Furthermore, on a periodic basis, an external audit is sponsored by the Board of Directors to perform an independent review of the capability maturity of LiveRamp’s security program.
In order to mitigate risk associated with the use of third parties, LiveRamp maintains a third-party risk management program, incorporating the review of third parties by data ethics and security teams. A third party’s inherent security risk is determined by identifying their level of access to our systems and data. Third parties with a high inherent risk or with access to sensitive data types undergo a review of their security controls, wherein LiveRamp reviews the third party’s responses to a security due diligence questionnaire, external audit reports, penetration test reports, and/or security policies. A residual score is then determined based on the third party’s controls and/or operational impact to LiveRamp. LiveRamp does not approve the use of any third parties with an inadequate security posture. For third parties handling personal information, LiveRamp also conducts legal and privacy due diligence to assess legal and privacy risks and apply mitigations where appropriate. LiveRamp security also conducts ongoing monitoring of existing third parties. On a cadence determined by the third party’s residual risk level, controls are re-evaluated to ensure that the security controls of the third party have not been diminished.