SAGA COMMUNICATIONS INC 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

SAGA COMMUNICATIONS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:30:04 EDT.

Filings

10-K filed on 2024-03-15

SAGA COMMUNICATIONS INC filed an 10-K at 2024-03-15 16:30:04 EDT
Accession Number: 0001558370-24-003419

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have established processes and policies for assessing, identifying and managing material risks posed by cybersecurity threats. Our processes and policies are based upon the National Institute of Standards and Technology (NIST) Cybersecurity Framework and include a Cybersecurity Incident Response Plan ( CIRP ). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management processes, policies and CIRP are focused on (1) developing organizational understanding to manage cybersecurity risks, (2) applying safeguards to protect our systems, (3) detecting the occurrence of a cybersecurity incident, (4) responding to a cybersecurity incident and (5) recovering from a cybersecurity incident. Where appropriate, these processes and policies are integrated into our overall risk management systems and processes. For instance, all of our employees with network access are required to complete information security and privacy training on an annual basis. We are continuously working to improve our information technology systems and provide employee awareness training around phishing, malware, and other cyber risks to enhance our levels of protection. We have engaged independent consultants and other third-parties to assist us in establishing and improving our policies. Our processes and policies include the identification of those third-party relationships which have the greatest potential to expose us to cybersecurity threats and, upon identification, we conduct additional due diligence as a part of establishing those relationships. We also maintain insurance coverage for cybersecurity insurance as part of our overall insurance portfolio. For additional information concerning cybersecurity risks we face, see Item lA Risk Factors - Information Technology and Cybersecurity Failures or Data Security Breaches Could Harm Our Business. Governance Cybersecurity and risks related to our information technology and other computer resources are an important focus of our Board of Directors’ risk oversight. The Board has created a Cybersecurity Sub Committee of our Audit Committee for oversight of cybersecurity and other information technology risks. Our Cybersecurity Sub Committee of our Audit Committee receives materials on a frequent basis to address the identification and status of information technology cybersecurity risks, and management, including our Chief Technology Officer (CTO), provides periodic updates to our Cybersecurity Sub Committee. The Sub Committee reports to the full Board regarding its activities. The full Board also receives briefings from management on our cyber risk management program. The CTO is responsible for managing our information security team to ensure they are assessing and managing cybersecurity risks in accordance with our processes and procedures. Our CTO has approximately 25 years’ experience managing enterprise information technology systems. Our management team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us and alerts and reports produced by security tools deployed in the IT environment. Pursuant to our CIRP, when a cybersecurity event has been identified through our detection processes, it is assessed in order to determine whether the event is a cybersecurity incident. Our CIRP designates the primary manager of a cybersecurity incident, describes the parties who should be informed about the incident and outlines the processes for containment, eradication, recovery and resolution of the incident. Depending on the severity and impact of a cybersecurity threat, members of our senior management team and Board of Directors are notified of an incident and kept informed of the mitigation and remediation of the incident. 31 Table of Contents

Company Information