BuzzFeed, Inc. 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

BuzzFeed, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:39:25 EDT.

Filings

10-K filed on 2025-03-14

BuzzFeed, Inc. filed a 10-K at 2025-03-14 16:39:25 EDT
Accession Number: 0001828972-25-000073

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy and Governance We are committed to protecting the security and integrity of our systems, networks, databases, and applications and, as a result, have implemented processes designed to prevent, assess, identify, and manage material risks associated with cybersecurity threats. Cybersecurity and risks related to our IT are an important focus of our board of directors’ risk oversight. Our board of directors, with assistance from its audit committee, oversees our cybersecurity risk assessment and response program. The audit committee receives reports at least quarterly from executive management, including our Senior Vice President of IT and Cybersecurity, on the identification and status of cybersecurity incidents, resolution, recovery, and post incident management. Managing Material Risks and Integrated Overall Risk Management We have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. Our cybersecurity risk assessment process evaluates our maturity across key areas of cybersecurity, and incorporates industry standard framework considerations, including the National Institute of Standards and Technology. The cybersecurity risk management program employs a multi-layered approach including: - Awareness and training for employees involving phishing campaigns, informational sessions at management meetings, and annual mandatory training with simulations of common cybersecurity threats; - Evaluation of our technical, administrative, and end-point security, including encryption, firewalls, security scans, and anti-virus systems and logical security controls, along with control policies and active review procedures which strengthen authentication and access protection; - Third-party risk management process and monitoring procedures for service providers, suppliers, and vendors who have access to critical systems and information; - Risk and vulnerability management encompassing both proactive and predictive defenses, which provides opportunities to assess, remediate, and validate; and - Managed detection and incident response, including advanced endpoint protection. We continue to promote a company-wide culture of cybersecurity risk management awareness, and cybersecurity considerations are integrated in our decision-making processes. We have an experienced IT team led by our Senior Vice President of IT and Cybersecurity , who has more than 20 years of industry experience. Our Senior Vice President of IT and Cybersecurity reports directly to the executive team and works closely with our management team, and where necessary, engages external experts to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Our Senior Vice President of IT and Cybersecurity provides regular updates on cybersecurity to the audit committee of our board of directors . Engagement of Third Parties on Risk Management We engage with external experts, including cybersecurity consultants, to support our cybersecurity risk assessment and response program. These partnerships enable us to leverage specialized knowledge and insights. Our collaboration with these third parties includes biennial cybersecurity maturity assessments and consultation on security enhancements. Risks from Cybersecurity Threats We have not encountered risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations, or financial condition. From time to time, we experience cybersecurity events that require investigation. For additional information regarding any risks from cybersecurity threats, including as a result of any cybersecurity incidents that are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, refer to Part I, Item 1A, “Risk Factors,” within this Annual Report on Form 10-K. We have accommodated a significant number of our employee population to work remotely. This accommodation to remote working has also increased our vulnerability to risks related to our computer, technology, and communications hardware and software systems and has exacerbated certain related risks, including risks of phishing and other cybersecurity attacks. The damage or disruption to our or third-party systems, or unauthorized access to, or exposure of, intellectual property or personal or confidential information, could harm our operations, reputation and brand, resulting in a loss of business or revenue. It could also subject us to government sanctions, litigation from candidates, contractors, clients, and employees, and legal liability under its contracts, resulting in increased costs or loss of revenue. We may also incur additional expenses, including the cost of remediating incidents or improving security measures, the cost of identifying and retaining replacement vendors, increased costs of insurance, or ransomware payments. Cybersecurity threats continue to increase in frequency and sophistication, thereby increasing the difficulty of detecting and defending against them. Furthermore, the potential risk of security breaches and cyberattacks may increase as we introduce new service offerings. Any future events impacting us or our third-party vendors that damages or interrupts our or our third-party vendors’ computer, technology, and communications hardware and software systems, or exposes intellectual property or data or other confidential information, could have a material adverse effect on our operations, reputation, and financial results.

Company Information