Veritone, Inc. - (VERI)

10-K Filing Date: March 30, 2024
Item 1C. Cybersecurity.

Risk management and strategy

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including, without limitation, intellectual property, confidential information that is proprietary, strategic or competitive in nature, and personal data (including sensitive personal data such as biometric data and employment-related data) (“Information Systems and Data”).

Our Chief Information Officer (“CIO”), our Vice President of Information Security (who serves as our Chief Information Security Officer (“CISO”)), and the Company’s information security function help identify, assess and manage the Company’s cybersecurity threats and risks. This team identifies and assesses risks from cybersecurity by monitoring and evaluating our threat landscape and the Company's risk profile using various methods, including, for example, manual and automated tools in certain environments and systems, subscribing to threat intelligence reports and services, scanning our environment for certain threats, evaluating our risk exposure, evaluating and analyzing certain reported threats, collaborating with law enforcement on certain threat intelligence, conducting internal and external cybersecurity audits, performing threat assessments in certain environments and systems, conducting vulnerability assessments in certain environments and systems, and engaging third-party experts for red/blue team testing and tabletop incident response exercises.

Depending on the environment and system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an incident response plan, vulnerability management, disaster recovery and business continuity planning, risk assessments, encryption of certain data, network security controls in certain environments and systems, data segregation of certain data, access controls for certain environments and systems, physical security, asset management, vendor risk management, employee cybersecurity training, cybersecurity insurance, and dedicated cybersecurity staff.

Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, the information security team works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business.

We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, professional services firms (including legal counsel), cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, forensic investigators, and penetration testing firms.

We use third-party service providers to perform a variety of functions throughout our business, such as application providers and hosting and cloud-hosting companies. We have a vendor management program to manage cybersecurity risks associated with our use of certain of these providers. The program includes the administration of a security questionnaire for certain providers, evaluation of certain provider’s written security program, and review of security assessments and reports from certain providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.

For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the risk factors captioned “Risk Factors—Risks Related to the Development and Operation of Our aiWARE Platform and other Products—The security or operation of our platform, networks, computer systems or data, or those of third parties upon which we rely, may be breached or otherwise disrupted, and any such breach or other disruption could have an adverse effect on our business and reputation” and “Risk Factors—Risks Related to the Development and Operation of Our aiWARE Platform and other Products—Interruptions or performance problems associated with our technology and infrastructure, or that of our third party service providers, including AWS and Azure, may adversely affect our business and operating results.”

Governance

Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors is responsible for overseeing the Company’s cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats.

34


 

Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of our management team, including our CIO, who has over 20 years of expertise in overseeing corporate information technology functions, and our CISO, who has 20 years of experience in the cybersecurity industry.

Our CIO and CISO are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel.

Our CIO and CISO are also responsible for approving cybersecurity budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.

Our incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including the Company’s Chief Executive Officer, CIO, security management team, and our legal team (including privacy). These stakeholders work with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response plan includes reporting to the board of directors for certain cybersecurity incidents.

The board of directors receives periodic reports, summaries or presentations from the CISO concerning the Company’s significant cybersecurity threats and risks, as well as the processes the Company has implemented to address them.