Digital Turbine, Inc. 10-K Cybersecurity GRC - 2024-05-28

Page last updated on July 16, 2024

Digital Turbine, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-28 17:16:11 EDT.

Filings

10-K filed on 2024-05-28

Digital Turbine, Inc. filed a 10-K at 2024-05-28 17:16:11 EDT
Accession Number: 0001628280-24-025455

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain a comprehensive process for identifying, assessing, and managing material risks from cybersecurity threats as part of our broader risk management system and processes. This cybersecurity risk management process includes a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access and other security incidents and vulnerabilities. As part of our cybersecurity risk management process, we conduct regular application security assessments, vulnerability management, external penetration testing, security audits, and risk assessments. We leverage third-party security service providers to provide continuous and uninterrupted identification and mitigation of risk-prioritized security events. We maintain an incident response plan that is utilized when incidents are detected. Our incident response plan coordinates the activities that we and our third-party cybersecurity provider take to prepare to respond, recover from and mitigate cybersecurity incidents, which include processes to assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational harm. We require employees with access to information systems, including all corporate employees, to undertake data protection, cybersecurity, privacy and compliance programs at least annually. We maintain a team of dedicated security and compliance professionals who oversee cybersecurity risk management, mitigation, incident prevention, detection, and remediation, which is led by our Chief Information Security Officer (“CISO”). The team has deep cybersecurity experience with an average tenure of over 20 years with expertise in protecting critical assets for top firms in a myriad of different industries. We leverage SOC 2 Type 2 attestation framework to determine the operating effectiveness of our internal security controls and use NIST Cybersecurity framework to better understand, manage and reduce cybersecurity risk and protect our business from ever-changing cyber threats. As part of our cybersecurity risk management process, we contractually require third-party service providers to implement and maintain key security measures in connection with their work with us when appropriate that is consistent with applicable laws. Additionally, our third-party service providers are to promptly report any breach of their security measures or systems that may affect our Company. Our security and compliance professionals track and log privacy and security incidents across our vendors and other third-party service providers to remediate and resolve any such incidents. Significant incidents associated with our vendors and service providers are reviewed regularly to determine whether further escalation is appropriate. Any incident assessed as potentially being or potentially becoming material is immediately escalated for further assessment, and then reported to designated members of our senior management. Our executive leadership team, along with input from the above team, are responsible for our overall enterprise risk management system and processes and regularly consider cybersecurity risks in the context of other material risks to the Company. The Audit Committee has oversight responsibility over our cybersecurity risk management process, including risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Senior management regularly discusses on at least a quarterly basis and otherwise as needed, cyber risks and trends and, should they arise, any material incidents with the Audit Committee. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K.

Company Information