GRAY TELEVISION INC 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

GRAY TELEVISION INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 10:53:08 EST.

Filings

10-K filed on 2024-02-23

GRAY TELEVISION INC filed an 10-K at 2024-02-23 10:53:08 EST
Accession Number: 0001437749-24-005295

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy We strive to implement leading data protection standards to ensure a strong commitment to cybersecurity. Our Data Security Policy and Cybersecurity Incident Response Plan ( CIRP ), which is part of our enterprise wide risk management processes, guides our cybersecurity program. The CIRP, developed in consultation with an independent cybersecurity expert, includes processes for identifying, managing, and remediating cybersecurity incidents. We utilized the National Institute of Standards and Technology ( NIST ) and the Center for Internet Security ( CIS ) guidelines to develop and implement the CIRP, which is approved by our Chief Technology Officer ( CTO ). However, this should not be interpreted to mean that we meet any particular technical standards, specifications, or requirements, only that we used the NIST and CIS as a guide to help create develop and implement the CIRP. The CIRP is reviewed and updated annually. The Company s cybersecurity risk management processes include ongoing monitoring and testing of its information systems and data to identify and respond to potential cybersecurity threats. Internally, the Company utilizes an enterprise Attack Surface Management tool to routinely scan for vulnerabilities to internal assets. Externally, we use third-party vendors to routinely conduct scans for vulnerabilities to external assets. In addition, our internal auditors along with management also conduct periodic monitoring of our internal controls over our data security and customer privacy systems and processes. For many vendors for the Company, we request copies of standard security reports or assessments, such as System and Organization Controls ( SOC ) reports, to support our assessment of our vendors security practices. In collaboration with the National Association of Broadcasters, North American Broadcasters Association, and risk management vendors, we are also working to assemble broadcaster-specific guidelines for information technology vendor selection. The Company provides security awareness training for all employees on a regular basis. The training is designed to educate and prepare employees to recognize unsafe practices and to properly respond to phishing attacks from email, social media, and other sources. Follow-up testing using simulated attack tools is used to validate the effectiveness of training and compliance. Although we have systems and processes in place to protect against risks associated with cybersecurity incidents in the future, depending on the nature of an incident, these protections may not be fully sufficient. We have experienced both targeted and non-targeted cybersecurity attacks and incidents in the past that have resulted in unauthorized persons gaining access to limited, non-critical information and systems that were detected by our security processes. Nevertheless, we could in the future experience similar or more severe attacks. To date, no cybersecurity incident or attack, or any risk from cybersecurity threats, has materially affected or has been determined to be reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. For additional information regarding the risks from cybersecurity threats we face, see the section captioned Operating Risks Disruptions or security breaches of our information technology infrastructure could interfere with our operations, compromise client information and expose us to liability, possibly causing our business and reputation to suffer within Part I, Item 1A. Risk Factors . Governance Management is responsible for the Company s day-to-day risk management and the Board serves in an oversight role. The Board has empowered the Audit Committee with formal oversight of enterprise risk matters, including with respect to cybersecurity. The Audit Committee and management periodically review the Company s policies with respect to risk identification, assessment, and management, including cybersecurity risk exposures and the internal controls and procedures in place to manage such risks, as well as the steps that management takes to monitor and control such exposures. In addition, the Audit Committee and the Board consider risk-related matters on an ongoing basis in connection with deliberations regarding specific transactions and issues. 28 The Cybersecurity Incident Response Team ( CIRT ), which is led by the CTO, is responsible for the prevention, detection, mitigation, and remediation of cybersecurity incidents and conducts primary incident response efforts. Our CTO, who is responsible for assessing and managing the Company s cybersecurity risks, has over 30 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at Raycom Media prior to the Raycom Merger. Other team members of the CIRT also have relevant educational and industry experience, including holding similar positions at large companies. Incidents can be escalated up to our executive leadership team, depending on the severity of the incidents. Our President and/or CTO regularly report to our Board, and our CISO and General Counsel regularly report to our Audit Committee about our cybersecurity health and initiatives. In addition, the Board receives quarterly reports on risk management activities across Gray operations, including with respect to cybersecurity.

Company Information