Vivid Seats Inc. 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

Vivid Seats Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 06:39:37 EDT.

Filings

10-K filed on 2025-03-12

Vivid Seats Inc. filed a 10-K at 2025-03-12 06:39:37 EDT
Accession Number: 0000950170-25-037612

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of maintaining the safety and security of our critical systems, information, products, services, and broader information technology environment (collectively, our “Information Systems and Data”), and we have developed, implemented, and maintained a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability thereof. Cybersecurity risks are addressed as a component of our overall enterprise risk management program. As such, our information security team works with management to prioritize our risk management processes and to mitigate those cybersecurity threats that are more likely to lead to a material impact on our business. Features of our cybersecurity risk management program include: - Periodic risk assessments designed to help identify cybersecurity risks that could materially impact our Information Systems and Data; - A security incident response team that is principally responsible for managing our cybersecurity risk assessment processes, information security controls, and response to any cybersecurity incident; - A cyber and data security incident response plan that establishes policies and procedures for identifying, managing, and recovering from a cybersecurity incident, including escalating tiers of notification depending on an incident’s nature and severity; - Periodic tabletop exercises with management and other employees to discuss, prepare for, and simulate our responses to potential cybersecurity incidents; - The use of third-party service providers, as appropriate, to assess, test, and assist with aspects of our information security controls; - The use of a third-party risk management process for our service providers, suppliers, and partners ; - Cybersecurity insurance designed to reduce the risk of loss resulting from cybersecurity incidents; - Cybersecurity policies and procedures, including those governing encryption standards, antivirus protection, remote access, multifactor authentication, confidential information, and the use of the internet, social media, email, and wireless devices; and - Required annual privacy and cybersecurity training (including spear phishing and other awareness exercises) for employees. Because the techniques used to obtain unauthorized access, disable/degrade service, or sabotage systems change frequently, we have invested and continue to invest in the security and resiliency of our systems and networks to help protect our Information Systems and Data. For a discussion of cybersecurity-related risks that may materially affect us and how they may do so, see the “Risk Factors-Risks Related to Information Technology, Cybersecurity, and Intellectual Property” section of this Report. Cybersecurity Governance Our Board is responsible for overseeing our overall enterprise risk management program, and each of its committees assists in this risk oversight role. Our Board has delegated the monitoring and oversight of risks relating to data privacy, technology, information security, and cybersecurity to our Audit Committee , which regularly reports to our Board regarding its activities, including those related to the management of these risks. Our Board also receives periodic briefings from management regarding our cybersecurity risk management program, including presentations on cybersecurity topics from our CTO, our information security team, and other third-party experts. 35 Our Audit Committee oversees management ’ s implementation of our cybersecurity risk management program. It receives regular updates from our CTO and other members of management on cybersecurity trends and developments, the cybersecurity risks that are most relevant to our business, and our cybersecurity strategy, as well as other updates, as appropriate, regarding certain cybersecurity incidents. A cross-functional management team, including members of our information security, technical infrastructure, engineering, and legal departments, is responsible for identifying, assessing, and managing the risks from cybersecurity threats that are relevant to our business, as well as managing our response to any cybersecurity incident (and, depending on an incident’ s potential nature and severity, reporting it to our Audit Committee and considering with management whether public disclosure is appropriate or required). This team has primary responsibility for our cybersecurity risk management program, including our cyber and data security incident response plan, supervises our internal personnel and third-party service providers, and communicates our cybersecurity risk management processes to management, our Board, and our Audit Committee. This team reports to our CTO , who has more than 15 years of experience in the technology sector, and possesses nearly 60 years of combined experience in cybersecurity matters, including threat assessment and detection, mitigation technologies, incident response, cyber forensics, and regulatory compliance. In addition to relevant educational and industry experience, members of this team, including the heads of our information security and technical infrastructure departments, hold relevant cyber and information security certifications, including from ISACA (Certified Information Security Manager and Certified Information Systems Auditor) and ISC2 (Certified Information Systems Security Professional). This team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including, as appropriate, the operation of our cyber and data security incident response plan, briefings from internal security personnel, threat intelligence, and other information obtained from governmental, public, or private sources, including our third-party service providers, and alerts and reports produced by security tools deployed in the information technology environment.

Company Information