Paramount Global 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Paramount Global reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 17:14:10 EST.

Filings

10-K filed on 2024-02-28

Paramount Global filed an 10-K at 2024-02-28 17:14:10 EST
Accession Number: 0000813828-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Our information security program, the framework for how we assess, identify and manage risks from information security and cybersecurity threats, is designed in alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and leverages the International Organization for Standardization 27001 framework. Cybersecurity risk is integrated into our overall strategic risk management ( SRM ) program, which evaluates key risk areas across Paramount by a cross-functional group of risk owners, in close coordination with members of senior management. Our information security program is overseen by our Chief Technology Officer ( CTO ) and Chief Information Security Officer ( CISO ), in consultation with our Chief Privacy Officer as needed. We employ a layered defense-in-depth system, which includes the use of continually evolving technologies to assess and protect the security of our enterprise-wide applications and Systems, our intellectual property and proprietary and other I-23 information and the data and personal information of our customers and employees; monitoring of our technology environment; performing regular security audits and vulnerability assessments; and regular cybersecurity and privacy training for our employees. We engage consultants and other third parties to conduct independent security assessments of our information security program and to provide us with information on new and developing threats and tactics. We have established processes to oversee and identify risks and cybersecurity threats associated with our third-party service providers. Pursuant to our information security and privacy policies and corresponding training, our employees and third-party vendors are instructed to notify our information security team as soon as they become aware of a suspected cybersecurity incident. We have a cybersecurity incident response plan to manage our response to potential and actual cybersecurity incidents. The plan includes procedures to assess the potential impact of an incident on the Company. When an incident meets certain criteria, the CISO and members of the information security team timely notify members of senior management, including our CTO and General Counsel, and under certain circumstances, the Audit Committee. All incidents are reviewed periodically with senior management. Our Board of Directors has delegated to the Audit Committee the responsibility for reviewing our processes and policies with respect to risk assessment, risk management and risk acceptance, including our processes and policies with respect to information security and cybersecurity. The Audit Committee receives quarterly reports from the CTO and CISO, which include information on the broader information security and cybersecurity threat landscape, the information security program s strategic priorities, progress made in respect of those priorities and summaries of cybersecurity incidents and related remediation efforts. Our Chief Audit Executive reports to the Audit Committee with respect to our key risks, including information security and cybersecurity risks, which are monitored pursuant to our SRM program. Our CTO leads our global technology strategy and multiplatform operations and has over 15 years of experience working in technology positions at large media companies. Our CISO has more than 20 years of experience managing information security for media/entertainment, technology, retail and financial services companies. While at Paramount, our CISO oversaw the integration of Viacom s and CBS s information security programs and our transformation to a cloud-centric, global streaming provider. We have experienced cybersecurity attacks in the past and may experience attacks in the future, potentially with more frequency or sophistication. Although past attacks have not materially impacted our strategy, financial condition or results of operations, the scope and impact of any future incident cannot be predicted. See Item 1A. Risk Factors Risks Relating to Business Continuity, Cybersecurity and Privacy and Data Protection.

Company Information