Investview, Inc. - (INVU)
10-K Filing Date: March 29, 2024
Risk Management and Strategy
The Company’s cybersecurity risk management practices are intended to assess, identify and manage risks from threats to the security of our information, systems, products and network. Our cybersecurity program is a key component of our broader risk management strategy in which cyber risk has been identified and is actively managed with preventive and mitigating measures. We design and assess our cybersecurity program based on the National Institute of Standards and Technology’s Cybersecurity Framework, ISO 27001, and industry-specific regulations. This does not imply that we meet any particular technical standards, specifications or requirements, but rather that we use them as a guide to help us identify, assess and manage cybersecurity risks relevant to our business.
Cybersecurity incidents could result from unintentional events, or from deliberate attacks by unauthorized entities or individuals attempting to gain access to Investview’s System Technology for the purposes of misappropriating assets or information or causing operational disruption and damage. To mitigate the risk of an impact to our business operations and/or damage from cybersecurity incidents or cyberattacks, Investview invests in multiple forms of cybersecurity and operational safeguards.
On an ongoing basis, we assess our people, processes, and technology, and when necessary, modify the overall program in order to meet the demands of the ever-changing cyber risk environment. As part of our regular training and readiness program, we conduct phishing and penetration testing campaigns in order to ensure that our employees are familiar with all types of phishing emails and similar threats.
Our data is dynamically backed up to mitigate against data loss. To prevent unauthorized access and data breaches, we encrypt sensitive data both in transit and at rest. We have also implemented access controls and multi-factor authentication to ensure that only authorized personnel can access sensitive information. We also utilize third-party information technology systems vendors to conduct constant network and endpoint monitoring.
Our risk management program is comprised of, among other things, policies that are designed to identify, assess, manage, and mitigate cybersecurity risk, and is based on applicable laws and regulations, derived from industry standards and best practices.
We conduct risk assessments to evaluate the effectiveness of our systems and processes in addressing threats and to identify opportunities for enhancements. Additionally, we conduct privacy and cybersecurity reviews, as well as annual employee training, and monitor emerging laws and regulations related to information security and data protection. We utilize third party tools and techniques to test and enhance our security controls, perform annual cybersecurity framework assessments, conduct ongoing penetration testing of our systems, and benchmark against best practices. Our internal audit function provides an independent assessment on the overall operations of our cybersecurity program and the supporting framework.
19 |
Our cybersecurity team engages and utilizes third-party services as it monitors and actively responds to cybersecurity threats. We utilize an Endpoint Detection and Response (EDR) platform, an anti-virus application, through which incoming electronic communications are filtered, and an email security platform which seeks out identifiers in communications that disguise, impersonate, or otherwise misrepresent the source of the communication. If such a communication is detected, it is subject to quarantine or removal depending on the severity of issue. Additionally, we use a Security Information and Event Management (SIEM) system, which allows us to store logs off the system of record to prevent log tampering and provides the cybersecurity team functionality to build alerts on specific use cases that are important and unique to our business. If our applications fail or our software does not successfully block a malicious electronic communication, employees are required to notify an immediate supervisor or the cybersecurity team promptly, but in no circumstances later than twenty-four (24) hours after such occurrence.
Upon detection of a cybersecurity incident and initial intake and validation by our cybersecurity team, our incident response team triages and evaluates the cybersecurity incident, and, depending on the severity, escalates the incident to management and a cross-functional working group. Any incident assessed as potentially being or potentially becoming material is immediately escalated for further assessment and reported to executive management. Determination of what resources are needed to address the incident, prioritizing of response activities, forming of action plans, and notification of external parties as needed are then undertaken by executive management and the cross-functional working group, led by our Senior Information Officer (SIO). We consult with outside counsel as appropriate, including on materiality analysis and disclosure matters, and our executive management makes the final materiality and disclosure determinations, among other compliance decisions.
Governance
The Board, the Senior Information Officer (“SIO”) and Management actively assess the Company’s cybersecurity and data privacy risk management practices with the goal of being proactive rather than reactive. The Board and the Senior Information Officer and Management regularly review the Company’s cybersecurity and data privacy risks, including our policies, controls and procedures for identifying, managing and mitigating such risks. The Board receives periodic reports from our SIO and other members of Management to the extent their relevant areas are impacted, regarding cybersecurity and data privacy measures and procedures, the identification of security gaps and compliance with applicable cybersecurity and data privacy regulations. The Senior Information Officer then briefs the Board at scheduled meetings regarding cybersecurity and data privacy developments.
Management and the SIO are responsible for day-to-day monitoring of the prevention, detection, mitigation and remediation of cybersecurity incidents. Our SIO, who reports to our Chief Operating Officer, has primary oversight of the material risks from cybersecurity and data privacy matters. Our SIO has more than 20 years of experience across various information technology, information security and management roles, including leading the development and implementation of cybersecurity and data privacy strategies for the employee and customer-facing aspects of our business.
In 2023, we did not identify any cybersecurity incidents or threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, despite our efforts, we may not be successful in eliminating all risks from cybersecurity threats and can provide no assurances that undetected cybersecurity incidents have not occurred. See Part I, Item 1A. “Risk Factors” of this Annual Report for more information regarding the cybersecurity risks we face.