IZEA Worldwide, Inc. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

IZEA Worldwide, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 17:16:00 EDT.

Filings

10-K filed on 2025-03-27

IZEA Worldwide, Inc. filed a 10-K at 2025-03-27 17:16:00 EDT
Accession Number: 0001495231-25-000050

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY Risk Management and Strategy We have developed a cybersecurity program based on internationally recognized frameworks, such as SOC-2 compliance for systems and organization controls related to our software development, and maps to standards published by Center for Internet Security (CIS) for our day-to-day operational stance. We conduct regular scans, penetration tests, and vulnerability assessments to identify any potential threats or vulnerabilities in our systems. Our processes to assess, identify and manage the material risks from cyber threats include assessing the risks arising from threats associated with third party service providers, including cloud-based platforms. We have developed a cyber crisis response plan for handling high severity security incidents and coordinating across multiple parts of the company. Our incident response team monitors threat intelligence feeds, handles vulnerability management and responds to incidents. In addition, we routinely perform training, simulations, and drills across company personnel. Internally, we have a security awareness program which includes training that reinforces our information technology and security policies, standards and practices, and we require that our employees comply with these policies. The security awareness program offers training on how to identify potential cybersecurity risks and protect our resources and information. This training is mandatory for all employees on an annual basis, and it is supplemented by testing initiatives, including periodic phishing tests. We also provide specialized security training for certain employee roles, such as application developers. Finally, our privacy program requires all employees to take periodic awareness training on data privacy. This training includes information about confidentiality and security, as well as responding to unauthorized access to or use of information. From time to time, we engage third-party service providers to enhance our risk mitigation efforts. For instance, we have engaged an independent cybersecurity advisor to lead a cybersecurity crisis simulation exercise that has been used by our senior leaders to prepare for a possible cyber crisis. In addition, we have engaged a security auditor and advisor in systems administration and penetration testing, a systems auditor and advisor for cybersecurity and compliance, an IT Systems auditor and assurance vendor and an email security and cybersecurity training partner. We also purchase insurance to protect us against the risk of cybersecurity breaches. To date, risks from cybersecurity threats have not previously materially affected us, and we currently are not aware of risks from cybersecurity threats that are reasonably likely to materially affect us, including our business, strategy, results of operations or financial condition. However, as discussed more fully under “Item 1A - Risk Factors”, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security breaches of these types and we may not be able to implement effective preventive measures against such security breaches in a timely manner. Governance Role of Management IZEA’s CEO, our Director, Systems & Security, and our Senior Development Operations (DevOps) leader jointly manage of our cybersecurity risks. We have established a Security Council, which includes our CEO, Director, Systems & Security, Senior Manager, Systems & Security, Chief Financial Officer, General Counsel, and other senior officers, that meets quarterly to review cybersecurity and information security matters. The Security Council has primary management oversight responsibility for assessing and managing information security, fraud, vendor, data protection and privacy, and cybersecurity risks. We have a security incident response framework in place. We use this incident response framework as part of our process to keep our management and Board of Directors informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. The framework is a set of coordinated procedures and tasks that our incident response team, under our CEO’s direction, executes to ensure timely and accurate resolution of cybersecurity incidents. Our cybersecurity framework includes regular compliance assessments with our policies, standards, and applicable state and federal statutes and regulations. In addition, we validate compliance with our internal data security controls through security monitoring utilities and internal and external audits. Our CEO and Director, Systems & Security, have extensive experience in the information technology area. In particular, our Director, Systems & Security has over twenty years of professional experience in the information security area, including as a result of his roles as a director of security, a security architect, and a software security engineer at various companies. Role of the Board of Directors The Board of Directors Audit Committee is responsible for the primary oversight of our information security and cybersecurity programs. The Audit Committee receives periodic reports from our CEO on cyber risks and threats, the status of initiatives to enhance our information security systems, assessments of our security posture, and insights into emerging threats. Additionally, the CEO reports to the Audit Committee on our Company-wide enterprise risk assessment, including evaluating cyber risks and threats. The Chair of the Audit Committee subsequently informs the full Board of these cybersecurity matters and key discussion topics and meeting materials and recommends updates to our information security policies and programs for Board approval.

Company Information