Fluent, Inc. 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

Fluent, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 16:15:31 EDT.

Filings

10-K filed on 2025-03-31

Fluent, Inc. filed a 10-K at 2025-03-31 16:15:31 EDT
Accession Number: 0001437749-25-010194

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have made cybersecurity and the protection of our customers’ data a top priority . The critical areas that we consider for our evolving cybersecurity program include access control; data encryption; SSDLC/change management; BCP/DRP; endpoint security; patch management; vulnerability assessments; compliance management; data privacy; incident response; monitoring, alerting, and logging; employee training (ingrained in our onboarding process, and mandatory online and in person training annually); and cyber insurance (coverage areas include ransomware, and business interruption which are critical to our clients and availability of business operations). Risk Management & Strategy Our cyber risk management program is designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. To help protect our company from a major cybersecurity incident that could have a material impact on operations or our financial results, we have implemented policies, procedures, programs and controls, including investments in technology that focus on cybersecurity incident prevention, identification and mitigation. These investments include best practice applications such as CrowdStrike, Okta, Intune and Kandji. These tools also strengthen our overall IT posture as well as our monitoring and alerting and patching processes. The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the continuous monitoring such as National Institute of Standards and Technology (“NIST”). We execute an NIST 800-53 review annually and use the results of existing cyber risks to prioritize projects designed to address these gaps and create a go-forward strategy. Our internal and external auditors review our IT and cybersecurity controls annually for design and operating effectiveness. Governance Our Cybersecurity Program is governed by the Company’s IT, Legal, and Compliance teams. Our Chief Technology Officer (“CTO”) has over 20 years of experience in marketing technology and analytics. Our Vice President of IT Governance, Risk and Compliance (“VP of IT”) has over 20 years of experience in IT internal and external audits, IT consulting, and governance, risk, and compliance. Our General Counsel regularly coordinates with the IT team on data security and compliance issues. The CTO and General Counsel report directly to the Chief Executive Officer (“CEO”), so any material issues are raised to the CEO, and a status update of key cybersecurity projects and any material breaches is provided quarterly to the Board’s Audit Committee, which includes both an internal and external audit. Incident Disclosure and Materiality Our incident management procedures include identification, evaluation, definition, and escalation based on the determination of materiality. This determination involves the Company’s IT, Legal, and Compliance teams, executive officers, and cyber insurance provider. Breach notifications and escalation to the Audit Committee would also be based on the materiality determination. The collaboration among IT, Legal, and Compliance helps ensure and prevent gaps with laws and regulations. Each quarter, the VP of IT provides an update on key cybersecurity projects and any material breaches at the quarterly Audit Committee meeting, at which both the internal and external auditors are present. While we did not experience a material cybersecurity incident during the year ended December 31, 2024, the scope and impact of any future incident cannot be predicted. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, results of operations, or financial condition. See Item 1A. “Risk Factors” for more information on our cybersecurity-related risks.

Company Information