Live Nation Entertainment, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Live Nation Entertainment, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:34:57 EST.

Filings

10-K filed on 2024-02-22

Live Nation Entertainment, Inc. filed an 10-K at 2024-02-22 16:34:57 EST
Accession Number: 0001335258-24-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Board of Directors (the Board ) is responsible for overseeing our risk management program and cybersecurity is a critical element of this program. The Information Security and Privacy team leads cybersecurity risk management for our business. Effective Cyber Risk Management is foundational to our Information Security and Privacy program and is based on recognized frameworks established by the National Institute of Standards and Technology (NIST). Our Information Security and Privacy Risk Management program includes processes and controls for the business to ensure that cybersecurity risks are identified and responded to promptly. These range from formal processes that are triggered in certain circumstances, to detective controls and technology that we use to identify and manage risks. Information Security and Privacy s Risk Management process is consistent with our Enterprise Risk Management Policy, which describes how we manage risks generally. The Information Security and Privacy team also engages with external consultants to ensure best practices in our Cyber Risk Management. Cybersecurity Risk Management and Strategy Our cybersecurity risk management and strategy focus on several areas: Risk Identification and Reporting: We have implemented a comprehensive, cross-functional approach to assessing, identifying, and managing material cybersecurity threats and incidents. The program includes controls and procedures to properly identify, classify, and escalate certain cybersecurity incidents to provide management visibility and obtain an assessment from management as to the public disclosure and reporting of material incidents in a timely manner. The Information Security and Privacy team s responsibilities include: Conducting privacy impact assessments; Rating cyber risk severity, coordinating remediation, and monitoring cyber risks within our enterprise risk register; Cyber threat intelligence functions, including monitoring cybercrime and geopolitical developments; Supporting mergers and acquisitions activities, including integration of newly acquired businesses; Performing security architecture reviews, both of existing enterprise systems and those of newly acquired organizations; Monitoring and ensuring Payment Card Industry Data Security Standard (PCI-DSS) compliance where required across the enterprise; and Conduct and supervision of penetration testing. Technical Safeguards: We have implemented technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence, as well as outside audits and certifications. The Information Security and Privacy team also manages and carries out logging, and vulnerability and application scanning, to support the identification of cyber risks. Incident Response and Recovery Planning: We maintain comprehensive incident response, business continuity, and disaster recovery plans designed to guide our response to cybersecurity incidents. We also conduct regular tabletop exercises to test these plans and ensure personnel are familiar with their roles in a response scenario. Third-Party Risk Management (TPRM): We maintain a comprehensive, risk-based approach to identifying and overseeing material cybersecurity threats presented by third parties, including vendors, service providers, and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a material cybersecurity incident affecting those third-party systems, including any outside auditors or consultants who advise on our cybersecurity systems. Education and Awareness: We provide regular, mandatory training for all levels of employees regarding cybersecurity threats to equip our employees with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes, and practices. Governance The Board, in coordination with our Global Data Governance Board (GDGB) and the Audit Committee, oversees our risk management program, including the management of cybersecurity threats. The GDGB receives regular presentations and reports on developments in the cybersecurity space, including risk management practices, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security. 27 The Chief Information Security and Privacy Officer (CISPO) is the risk manager overseeing the organization s information security risk management function. As the Risk Manager, the CISPO is responsible for the administration of the information security risk management program, policy, and procedures. This includes ensuring that risks are properly identified, assessed, managed, and reported as prescribed by the organization. The Risk Manager also has the responsibility of promoting an effective risk management culture through regular training across the organization. The CISPO has direct communication with senior executives regarding cybersecurity risks and works collaboratively with our leadership to respond to and manage the response to cybersecurity incidents. The CISPO has nearly 20 years of legal and data protection experience with a focus on Information Security, Privacy, and Abuse Prevention. Material Effects of Cybersecurity Incidents Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including its business strategy, results of operations, or financial condition. Further information regarding cybersecurity risks can be found in Item 1A. Risk Factors - Risks Relating to Information Technology, Cybersecurity and Intellectual Property.

Company Information