Direct Digital Holdings, Inc. 10-K Cybersecurity GRC - 2024-10-15

Page last updated on October 15, 2024

Direct Digital Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-15 16:38:57 EDT.

Filings

10-K filed on 2024-10-15

Direct Digital Holdings, Inc. filed a 10-K at 2024-10-15 16:38:57 EDT
Accession Number: 0001558370-24-013317

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Cybersecurity Risk Management and Strategy All companies utilizing technology are subject to cybersecurity threats. We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks, extortion, harm to employees or customers and violation of data privacy or security laws. We aim to incorporate best practices throughout our cybersecurity program. Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. We have processes in place to assess, identify, manage, and address material cybersecurity threats and incidents. These include, among other things: annual and ongoing security awareness training for employees to help identify, avoid, and mitigate cybersecurity threats; policy regarding cybersecurity; mechanisms to detect and monitor unusual network activity; and containment and incident response procedures. Third parties also play a role in our cybersecurity. We engage third-party services to conduct evaluations of our security controls, whether through independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. In the event of an incident, we intend to follow our detailed incident response policy and procedure, which outlines the steps to be followed from incident detection to mitigation, including notifying functional areas (e.g. legal), as well as senior leadership and the board of directors, as appropriate. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. Any significant disruption to our service or access to our systems could affect our business and results of operations. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations. For more information regarding risks surrounding cybersecurity, please see “Risk Factors” of this Annual Report on Form 10-K. In the past two fiscal years, we have not identified any risks from cybersecurity threats that have materially affected (or are reasonably likely to materially affect) our business, results of operations, or financial condition . We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business, results of operations, or financial condition. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management team. Our board of directors have ultimate oversight regarding our cybersecurity with our audit committee specifically assisting the board of directors in the role of risk oversight by regularly reviewing cybersecurity matters and reporting to the board of directors. The Company’s Chief Technology Officer is responsible for developing and implementing our information security program and reporting on cybersecurity matters. Cybersecurity risk matters are reflected on reports and updates to operations management, senior management and our audit committee on a quarterly basis. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. To aid the board of directors with its cybersecurity and data privacy oversight responsibilities, the board of directors periodically hosts experts for presentations on these topics. For example, in 2023, management hosted an expert during the annual board of directors’ retreat to discuss developments in the cybersecurity threat landscape. Our board of directors also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Anu Pillai, our Chief Technology Officer, leads our cybersecurity efforts. She has been serving in her current role since March 2021. Anu has over 20 years of experience serving companies across multiple industries in senior management roles, within information technology and as such has developed substantial experience in cybersecurity, among other areas. Team members who support our Chief Technology Officer have similar broad experience and expertise in information security, including cybersecurity.

Company Information