Emerald Holding, Inc. 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

Emerald Holding, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:01:34 EDT.

Filings

10-K filed on 2025-03-14

Emerald Holding, Inc. filed a 10-K at 2025-03-14 16:01:34 EDT
Accession Number: 0000950170-25-039386

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyb ersecurity. Cybersecurity Risk Management and Strategy Cybersecurity is an important part of our overall risk management systems and processes and an area of focus for our Board and management. We have developed and implemented an enterprise-wide information security program designed to identify, protect, detect, and respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity and privacy threats, we use various security tools that help prevent, identify, escalate, investigate, resolve, and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools, third-party Security Operations Center monitoring and incident response services, proactive patching and risk mitigation, and a third-party penetration testing program to allow security researchers to assist us in identifying vulnerabilities in our products before they are exploited by malicious threat actors. We also maintain a third-party risk management program to ensure we understand the security posture of the partners we integrate with or build business reliance upon, ensure they can meet our cybersecurity standards and policies, and take precautions and mitigations designed to limit our exposure to supply chain attacks; however, there are circumstances in which the efforts of the third parties upon which we rely to maintain risk management programs have not been successful and we cannot ensure in all circumstances that the efforts of the third parties upon which we rely to maintain risk management programs will be successful in the future. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. This data is consolidated in centralized repositories, assessed using industry-standard practice risk quantification models, and prioritized for remediation based on risk and impact to the business. We have in the past used widely adopted risk quantification models, including those described in National Institute of Standards and Technology (NIST) special publications as well as the FAIR Institute’s Factor Analysis of Information Risk (FAIR) methodology for Quantifying and Managing Risk to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards, and may continue to use these or other models in the future. We conduct regular reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and continuously improve our security measures and planning. We have a role-based security training program under which all staff undergo mandatory periodic security awareness training, with additional on-the-job security training and coaching provided to our IT and technology personnel by an external third-party cybersecurity firm. We continuously enhance our cybersecurity measures by providing ongoing simulated phishing exercises to our employees to increase their preparedness to address potential threats. The results of these assessments are reported to the Audit Committee as discussed below under “–Cybersecurity Governance.” In the last ten years, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or that we believe are reasonably likely to materially affect us, including our business, financial condition, cash flows and results of operations. However, we face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our business, financial condition, cash flows and results of operations. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents could materially affect us, including our business strategy, results of operations or financial condition, refer to Item 1A. Risk Factors - “We face continually evolving cybersecurity and similar risks, which could result in loss, disclosure, theft, destruction or misappropriation of, or access to, our confidential information and cause disruption to our business, damage to our brands and reputation, legal exposure and financial losses,” which is incorporated by reference into this Item 1C. Cybersecurity Governance The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. Specifically, our Audit Committee is responsible for the oversight of risks from cybersecurity threats and receives regular updates from senior management including our Senior Vice President of Information Technology on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. Our cybersecurity protocol requires that the Chair of the Audit Committee and senior management be immediately notified upon any cybersecurity incident. 27 Our Senior Vice President of Information Technology , who has over 20 years of experience in the information technology sector , leads our global information security team responsible for overseeing the Emerald information security program. In addition, the team members who support our information security program have relevant educational and industry experience, including holding similar positions at large technology companies. This team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. The team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel, analysis of threat intelligence and review of other information obtained from governmental, public or private sources (including external consultants engaged by us), and alerts and reports produced by security tools deployed in the IT environment. The team provides regular reports to senior management and other relevant teams on various cybersecurity threats, assessments, and findings.
Item 1C. Cybersecurity Governance The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. Specifically, our Audit Committee is responsible for the oversight of risks from cybersecurity threats and receives regular updates from senior management including our Senior Vice President of Information Technology on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. Our cybersecurity protocol requires that the Chair of the Audit Committee and senior management be immediately notified upon any cybersecurity incident. 27 Our Senior Vice President of Information Technology , who has over 20 years of experience in the information technology sector , leads our global information security team responsible for overseeing the Emerald information security program. In addition, the team members who support our information security program have relevant educational and industry experience, including holding similar positions at large technology companies. This team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. The team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel, analysis of threat intelligence and review of other information obtained from governmental, public or private sources (including external consultants engaged by us), and alerts and reports produced by security tools deployed in the IT environment. The team provides regular reports to senior management and other relevant teams on various cybersecurity threats, assessments, and findings.

Company Information