Digimarc CORP 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Digimarc CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:14:17 EST.

Filings

10-K filed on 2025-02-27

Digimarc CORP filed a 10-K at 2025-02-27 16:14:17 EST
Accession Number: 0001437749-25-005471

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY Cybersecurity risk management is a critical component of our overall risk management program. We have implemented robust information security processes for assessing, identifying, and managing material risks from cybersecurity breaches that could adversely affect our business, financial condition and reputation. Although we have implemented measures to safeguard against cybersecurity risks, there is no assurance that these measures will prevent all incidents or fully mitigate their impact. We continuously work to enhance our information security processes and risk management program. Our cybersecurity risk management program is led by our Senior Director of Information Security (“InfoSec”) with direction and oversight from the Company’s executive management team. The Senior Director of InfoSec and the Company’s executive leaders directly involved have extensive experience in information security, risk management, and technology, and a track record of successful leadership in areas relevant to cybersecurity. On a regular basis, we conduct thorough cybersecurity risk assessments that encompass both financial and non-financial risks, to identify vulnerabilities within our information systems. We also engage third -party experts and consultants to assist with cybersecurity risk assessments and to perform black box and white box penetration testing. We have implemented continuous enterprise-wide monitoring tools to detect and assess cybersecurity threats. In addition, we maintain and practice our incident response plans to facilitate timely identification and reporting of cybersecurity events. Aligned with our broader risk management framework, our materiality assessment criteria are determined based on a comprehensive review of potential cybersecurity impacts on our operations, financials and reputation. Our risk mitigation strategies include a broad variety of technical and operational measures, including, but not limited to, cross-functional collaboration among the information security, legal and risk management and operational teams, and Company-wide training on cybersecurity and privacy. We conduct regular and ongoing information security training and maintain a compliance program, which includes live and virtual training and periodic testing to ensure compliance with corporate standards and procedures. New employees must acknowledge that they have completed all the information security training and adhere to standards and procedures upon hire. All other employees acknowledge completion of this training annually. In 2024 , the Company again achieved System and Organization SOC Type II (“SOC 2” ) compliance for its product digitization platform. An independent auditor provided this certification after conducting a comprehensive audit, confirming that from February 16, 2023, to February 29, 2024, our information security controls were well-designed and worked effectively. The Company is working diligently to continue to maintain compliance with SOC 2 with the audit for 2025 currently in process. Our Board of Directors plays a vital role in overseeing the Company’s enterprise risk management program and has delegated cybersecurity risk management to the Audit Committee of the Board of Directors. The Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which the Company is exposed, and to implement processes to manage cybersecurity risks and mitigate cybersecurity incidents. Our Senior Director of InfoSec provides annual updates to the Audit Committee on the current cybersecurity threat landscape, emerging risks, remediation plans, and the effectiveness of related internal controls, and our Chief Financial Officer provides quarterly updates to the Audit Committee regarding progress on the Company’s cybersecurity program. When applicable, additional cybersecurity updates are provided to our Audit Committee in interim periods in the event of a significant cybersecurity threat. All members of the Board of Directors are invited to attend these meetings. The Audit Committee regularly engages in risk assessments specifically focused on cybersecurity, considering potential impacts on operations, financial results, and reputation, and periodically reviews cybersecurity policies and procedures to ensure they align with best practices and evolving cyber threats. In addition, the Audit Committee participates in the allocation of resources for cybersecurity initiatives, ensuring that investments align with the Company’s risk appetite and strategic objectives. The Audit Committee is also briefed on the Company’s crisis management and incident response plans, ensuring preparedness for potential cybersecurity incidents. The full Board of Directors participates with management in security tabletop exercises to test our incident response plans. In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.

Company Information