Outbrain Inc. 10-K Cybersecurity GRC - 2025-03-07

Page last updated on March 7, 2025

Outbrain Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-07 16:07:47 EST.

Filings

10-K filed on 2025-03-07

Outbrain Inc. filed a 10-K at 2025-03-07 16:07:47 EST
Accession Number: 0001454938-25-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We utilize various risk management guides, as well as the protocols of certain certifications as described below to identify, assess, and manage cybersecurity risks relevant to our business through our risk management program. Our cybersecurity risk management program includes a cybersecurity incident response plan. Outbrain uses COBIT, or Control Objectives for Information Technologies, as a framework for risk management and manages various controls as required by ISO 27001, 27017 and 27032 standards. Outbrain maintains the following certifications: ISO 27001, ISO 27017 and ISO 27032, Cloud Security Alliance Star level 1 and PCI-DSS SAQ A-EP. Outbrain’s on-premises data centers are SOC 2 certified. Teads utilizes NIST as a framework for risk management and manage various controls as required by SOC2 Type 2. Teads maintains the SOC2 Type 2 certification and its cloud infrastructure providers are ISO 27 certified. In addition to our certifications, we (i) conduct routine employee training sessions and onboarding security training, including phishing simulations, to increase awareness of phishing and other cyber threats; (ii) require multi-factor authentication access methods for all employees into our network; (iii) operate general monitoring and service protections that are subject to continuous enhancements to detect and mitigate various threats, including performing ongoing manual and automatic vulnerability assessment tests; and (iv) manage an ongoing cyber risk-management framework to assess internal technological changes, as well as external systems and services as part of supply chain risk. In an effort to detect vulnerabilities or cyber breaches that we have not yet discovered, we regularly run an exhaustive security testing framework, including scanning all internal and external assets for vulnerabilities, utilizing multiple third-party security testing teams every year, and maintaining a bug bounty program. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes: - Ongoing risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment; - a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; - cybersecurity awareness training of our employees, incident response personnel, and senior management; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - a third-party risk management process for service providers, suppliers, and vendors. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program. The Audit Committee receives quarterly reports from management regarding our cybersecurity risks. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as certain other incidents that have lesser impact potential. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from management on our cyber risk management program, including education sessions regarding cybersecurity topics from our Chief Information Security Officer (CISO), internal security staff or external experts. Our Risk Committee, which includes our CEO and other members of management, meets quarterly as part of the Company’s enterprise risk management program, with cybersecurity being the most significant area of review and reporting. Our security team, including our Governance Risk and Compliance lead (GRC) and CISO, is responsible for assessing and managing our risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our CISO has 25 years experience as a technology leader, with extensive experience within the cybersecurity ecosystem and risk management. He has been certified as a CISO by the Israeli Technion Institute. Our security team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment. Information Systems Acquired from Teads As disclosed above in Item 1 under “Acquisition of Teads,” on February 3, 2025, we completed our acquisition of Teads. Teads’ legacy information systems are currently maintained separately from Outbrain’s preexisting information system infrastructure. After we are able to fully evaluate Teads’ legacy information systems, protocols and practices, we plan to operationally integrate either the legacy Teads system or the legacy Outbrain system, and these integrated systems will then be subject to Outbrain’s cybersecurity risk management structure and strategy. While we integrate these systems, our GRC and CISO are engaging in cybersecurity risk management activities, and any cybersecurity incidents detected on the legacy Teads information systems are assessed, managed and reported in accordance with the governance processes detailed above.

Company Information