|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Criteo recognizes the critical importance of maintaining the safety and security of our systems and data and has a holistic
process for overseeing and managing cybersecurity and related risks. Our security program is led by our Chief Information
Security Officer (“CISO”), who reports directly to our Chief Technology Officer (“CTO”), who is responsible for managing
cybersecurity risks as well as protecting our products, networks and systems. Our CISO has extensive information
technology and program management experience and has served many years in our corporate information security
organization. Our CISO manages our security organization, which is composed of dedicated teams of experts in security
engineering, incident response, compliance, and software development.Risk Management
Our security team has several touch points within the business in order to adequately address and mitigate risks. For
instance, the team provides mandatory cybersecurity awareness training for all employees and a recurring phishing
campaign. Our technical security teams use a combination of threat intelligence tools, defensive tools and proactive
testing to detect vulnerabilities and respond. Our technical security teams also invest in building new tools and integrating
solutions to improve our security posture on an ongoing basis.
Our security compliance teams perform third-party risk assessments, respond to client inquiries about security, help the
business to manage our security controls, and translate our external requirements into policies, standards, and actions for
the rest of our business. Various parts of our team also participate in risks assessments during project kick-offs.
With regards to third-party risk assessments, our process involves assessing how third parties interact and connect with
our information systems and our data, assessing the security of the third-party (including through questionnaires), and
obtaining independent proofs of security (including via security certification and/or penetration tests) depending on the
associated level of risk, as evaluated by our team. Our procurement teams also run checks to ensure vendors are not
sanctioned or otherwise identified as potentially corrupt.
The process of assessing, identifying and managing cybersecurity related risks is integrated into our overall ERM via a
dedicated Information Security Risk Management program that is focused on cybersecurity risk and run by our security
compliance team. Risks that are identified through our security processes go through a process of analysis, prioritization,
treatment and monitoring. During the lifecycle of cybersecurity specific risks, risk owners, working alongside the security
compliance team, are assigned to develop risk mitigation plans, which are followed by the team until a risk is sufficiently
mitigated or resolved, at which point such risk reaches a monitoring state. Cybersecurity risks are aggregated into
strategic business risks and incorporated into the ERM program.
Cybersecurity Incidents
While we have experienced cybersecurity incidents in the past, there have been none to date which have materially
affected, or are reasonably likely to materially affect, the Company, our financial position, results of operations and/or cash
flows. We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and
processes, which are designed to help protect our systems and infrastructure, and the information they contain.
For more information regarding the risks we face from cybersecurity threats, please see “Item 1A. Risk Factors – Risks
Related to Data Privacy, Intellectual Property and Cybersecurity.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The process of assessing, identifying and managing cybersecurity related risks is integrated into our overall ERM via a
dedicated Information Security Risk Management program that is focused on cybersecurity risk and run by our security
compliance team. Risks that are identified through our security processes go through a process of analysis, prioritization,
treatment and monitoring. During the lifecycle of cybersecurity specific risks, risk owners, working alongside the security
compliance team, are assigned to develop risk mitigation plans, which are followed by the team until a risk is sufficiently
mitigated or resolved, at which point such risk reaches a monitoring state. Cybersecurity risks are aggregated into
strategic business risks and incorporated into the ERM program.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Governance
Our Board of Directors is primarily responsible for the oversight of our risk management activities and has delegated to
the Audit Committee the responsibility to assist in this task.
The Audit Committee regularly reviews and discusses with management and, as appropriate, the Company’s auditors, the
Company’s guidelines and policies with respect to risk assessment and risk management, including the Company’s data
privacy and cybersecurity risk exposures and the steps taken to monitor and manage those exposures.
The CISO helps maintain a comprehensive security program that serves as a governance framework for information
security at Criteo, supports the business goals of the company and details, across problem spaces and security core
functions, the various initiatives, their scope, the associated risks and weaknesses, the roadmap and the current progress.
Criteo assesses and manages its cybersecurity risks in part through an executive committee referred to as the
Governance Risk and Compliance Committee (the “GRCC”). The GRCC is composed of the CISO and certain members
of our executive and leadership teams, and meets several times a year to discuss strategic information security matters
including the security program, major risks and incidents and significant key performance indicators (“KPIs”).
As a member of the GRCC, the CISO briefs the Audit Committee on the information security program, major risks and any
cybersecurity incidents, typically at least annually. Additionally, cybersecurity risks are reported to the Board of Directors,
at least annually, as part of Criteo’s enterprise risk mapping (“ERM”) program.
Quality Control of Security
To help ensure that our security program functions in line with industry expectations, Criteo invests in identifying and
remediating gaps in our security posture. To accomplish this, we use a mix of our internal expertise and external third-
party expertise, as needed, to audit ourselves against industry standards, such as the National Institute of Standards and
Technology (“NIST”) Cybersecurity Framework, International Organization for Standardization 27001 Information Security
Management System Requirements (“ISO27001”) and the American Institute of Certified Public Accountants’ Service
Organization Control Type 2 (“AICPA SOC 2”). Various parts of our business maintain independently assessed security
certifications, and we also run certification programs to expand the scope of our existing security certifications.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors is primarily responsible for the oversight of our risk management activities and has delegated to
the Audit Committee the responsibility to assist in this task.
The Audit Committee regularly reviews and discusses with management and, as appropriate, the Company’s auditors, the
Company’s guidelines and policies with respect to risk assessment and risk management, including the Company’s data
privacy and cybersecurity risk exposures and the steps taken to monitor and manage those exposures.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|he
Governance Risk and Compliance Committee (the “GRCC”). The GRCC is composed of the CISO and certain members
of our executive and leadership teams, and meets several times a year to discuss strategic information security mattersincluding the security program, major risks and incidents and significant key performance indicators (“KPIs”).
|Cybersecurity Risk Role of Management [Text Block]
|The CISO helps maintain a comprehensive security program that serves as a governance framework for information
security at Criteo, supports the business goals of the company and details, across problem spaces and security core
functions, the various initiatives, their scope, the associated risks and weaknesses, the roadmap and the current progress.
Criteo assesses and manages its cybersecurity risks in part through an executive committee referred to as the
Governance Risk and Compliance Committee (the “GRCC”). The GRCC is composed of the CISO and certain members
of our executive and leadership teams, and meets several times a year to discuss strategic information security matters
including the security program, major risks and incidents and significant key performance indicators (“KPIs”).
As a member of the GRCC, the CISO briefs the Audit Committee on the information security program, major risks and any
cybersecurity incidents, typically at least annually. Additionally, cybersecurity risks are reported to the Board of Directors,at least annually, as part of Criteo’s enterprise risk mapping (“ERM”) program.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Governance
Our Board of Directors is primarily responsible for the oversight of our risk management activities and has delegated to
the Audit Committee the responsibility to assist in this task.
The Audit Committee regularly reviews and discusses with management and, as appropriate, the Company’s auditors, the
Company’s guidelines and policies with respect to risk assessment and risk management, including the Company’s data
privacy and cybersecurity risk exposures and the steps taken to monitor and manage those exposures.
The CISO helps maintain a comprehensive security program that serves as a governance framework for information
security at Criteo, supports the business goals of the company and details, across problem spaces and security core
functions, the various initiatives, their scope, the associated risks and weaknesses, the roadmap and the current progress.
Criteo assesses and manages its cybersecurity risks in part through an executive committee referred to as the
Governance Risk and Compliance Committee (the “GRCC”). The GRCC is composed of the CISO and certain members
of our executive and leadership teams, and meets several times a year to discuss strategic information security matters
including the security program, major risks and incidents and significant key performance indicators (“KPIs”).
As a member of the GRCC, the CISO briefs the Audit Committee on the information security program, major risks and any
cybersecurity incidents, typically at least annually. Additionally, cybersecurity risks are reported to the Board of Directors,at least annually, as part of Criteo’s enterprise risk mapping (“ERM”) program.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|To help ensure that our security program functions in line with industry expectations, Criteo invests in identifying and
remediating gaps in our security posture. To accomplish this, we use a mix of our internal expertise and external third-
party expertise, as needed, to audit ourselves against industry standards, such as the National Institute of Standards and
Technology (“NIST”) Cybersecurity Framework, International Organization for Standardization 27001 Information Security
Management System Requirements (“ISO27001”) and the American Institute of Certified Public Accountants’ Service
Organization Control Type 2 (“AICPA SOC 2”). Various parts of our business maintain independently assessed securitycertifications, and we also run certification programs to expand the scope of our existing security certifications
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|he
Governance Risk and Compliance Committee (the “GRCC”). The GRCC is composed of the CISO and certain members
of our executive and leadership teams, and meets several times a year to discuss strategic information security matters
including the security program, major risks and incidents and significant key performance indicators (“KPIs”).
As a member of the GRCC, the CISO briefs the Audit Committee on the information security program, major risks and any
cybersecurity incidents, typically at least annually. Additionally, cybersecurity risks are reported to the Board of Directors,at least annually, as part of Criteo’s enterprise risk mapping (“ERM”) program.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef