Gannett Co., Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Gannett Co., Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 10:46:23 EST.

Filings

10-K filed on 2024-02-22

Gannett Co., Inc. filed an 10-K at 2024-02-22 10:46:23 EST
Accession Number: 0001579684-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY 40 Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats (as such term is defined in Item 106(a) of Regulation S-K), including, among other things, operational risks, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy or security laws and other litigation and legal risks, and reputational risks. We employ various cybersecurity processes and controls to aid in our efforts to identify, assess, and manage our material risks from cybersecurity threats and to protect against, detect, and respond to cybersecurity incidents (as such term is defined in Item 106(a) of Regulation S-K). To identify and assess material risks from cybersecurity threats, we consider and gather information with respect to the confidentiality, integrity, and availability of our information systems (as defined in Item 106(a) of Regulation S-K). We have adopted policies and procedures that are designed to assist us with managing identified risks at a system and organizational level and assessing the materiality of the risk, its severity, and potential mitigations or remediations. Our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. The risk identification process includes: (i) identifying information systems and assets, including physical and virtual devices, software, data, data transfers, external systems, and cloud resources; (ii) reviewing organizational business processes, identities, access, and roles (including privileged access), asset configurations, technology policies, standards, controls, and processes; (iii) analyzing the criticality of assets and business processes and sensitivity of data; and (iv) identifying vulnerabilities and threats to the identified assets, data, and processes, from both internal and external sources, including threat intelligence, previous cybersecurity incidents, and third-party assessments. Our processes also consider risks associated with our use of third-party service providers and business partners, including those in our supply chain or who have access to our customer and employee data or our information systems. Third-party service provider and business partners risks are included within our cybersecurity risk management program, as well as the risk identification and assessment processes, both of which are discussed above. In addition, cybersecurity and privacy considerations affect the selection and oversight of our third-party service providers and business partners, as well as third-party specific integration plans. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in a specified manner, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. We employ a range of tools and services to inform our risk preparedness, identification, assessment and remediation processes, including, among others, continuous monitoring, regular reoccurring security and compliance activities, training, threat intelligence, business processes, change management, strategic planning, annual assessments, and periodic testing and assessments performed by qualified security personnel and by third-party firms. As part of the above-described processes, we engage with third-party firms to perform independent assessments, including internal and external penetration tests, social engineering tests, configuration assessments, security plan and program assessments, compliance assessments, and incident response readiness exercises to help identify areas for continued focus, improvement and/or compliance. Identified risks are evaluated and assessed by the Company’s security review council, comprised of various security, technology, and privacy staff members and management. A member of management is assigned as the risk owner and takes an active role in managing the risk, including determining the risk response and risk treatment plan, as well as participates in assessing any residual risk. Our Chief Information Security Officer oversees our cybersecurity risk management program. In the event of a potential material risk, the risk is reported to the Chief Information Security Officer, the Chief Technology Officer, and to the appropriate member of senior management responsible for the function where the risk has been identified. The risk is then reviewed by the Disclosure Committee, which includes among others, the Company’s Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, and Chief Accounting Officer to make a determination of whether the risk is material. In 2023, our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Risks Related to Cybersecurity and Artificial Intelligence” under Risk Factors in this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. 41 Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board of Directors and management. Our Board of Directors is responsible for the oversight of risks from cybersecurity threats. Each quarter or as needed, the Board of Directors receives an overview from management of our cybersecurity program and strategy covering topics such as cybersecurity incidents and response, progress towards pre-determined risk-mitigation-related goals, results from third-party assessments, cybersecurity staffing, compliance status, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to any such risks. In such sessions, our Chief Information Security Officer is available to the Board of Directors to discuss any relevant cybersecurity matters. In addition, at least bi-annually, the Chief Information Security Officer and Chief Technology Officer report to the Board of Directors about cybersecurity threat risks, among other cybersecurity related matters. Our cybersecurity risk management and strategy processes discussed above, are led by our Chief Information Security Officer and Chief Technology Officer, both of whom are Certified Information Systems Security Professionals (“CISSP”). Specifically, our Chief Information Security Officer has approximately nine years of experience developing cybersecurity strategy, incident response, and implementing cybersecurity programs for public media companies and our Chief Technology Officer has approximately 15 years of experience developing cybersecurity strategy, incident response, and implementing cybersecurity programs.

Company Information