National CineMedia, Inc. 10-K Cybersecurity GRC - 2024-03-18

Page last updated on April 11, 2024

National CineMedia, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-18 16:23:12 EDT.

Filings

10-K filed on 2024-03-18

National CineMedia, Inc. filed an 10-K at 2024-03-18 16:23:12 EDT
Accession Number: 0001377630-24-000042

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain a cybersecurity management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats and incidents. We review our program design on at least a quarterly basis and update as needed to address the risks and threats that our corporate security team has identified. Our team also benchmarks our program to industry recognized frameworks, including the International Organization for Standardization. The Audit Committee of the Board of Directors receives regular reports on cybersecurity risks and evaluates these risks as a part of their enterprise risk review. Our teams also rely on third-party diagnostic tools and periodic audits to ensure that our program is performing as designed and in-line with applicable standards. Our Chief Information Officer oversees a security committee made up of professionals on our corporate security, and other information technology teams to review the results of these audits and recommend improvements. Prior to engaging a third party to provide services, our information technology team performs a risk assessment to determine the level of review of the vendor needed based on the nature of the services to be provided and type of information that may be shared. The resulting vendor review may include requiring the vendor to provide the results of external audits. We continue to monitor our vendors throughout their engagements with us to ensure they have complied with their contractual obligations, including service level agreements and other contractual standards. We have also established an incident response plan to assess, identify and manage specific potential cybersecurity incidents. This plan requires the corporate security team to notify a response team. The response team assesses the risks of the identified potential incident and determines an appropriate response based on the risks identified. The response team then reports on the incident to senior management and, if necessary, a subset of our financial disclosure committee to determine if the cybersecurity incident should be reported in our public filings. 32 We face cybersecurity risks in connection with our business operations. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to our data and systems, including social engineering threats, denial of service attacks, malware and computer virus attacks. For more information about the cybersecurity risks we face, see Item 1A Risk Factors . Governance Board Oversight The Audit Committee of the Board of Directors oversees the Company s cybersecurity program. The cybersecurity team updates the Audit Committee on at least a quarterly basis to discuss the effectiveness of the Company s risk management program, potential and identified threats, remediation and mitigation plans, and other topics as requested by the Audit Committee. The Audit Committee regularly reports to the full Board of Directors and management reports on specific matters as requested by the Board of Directors. Management s Role The Company s Chief Information Officer is responsible for the Company s cybersecurity team and for reporting to the Audit Committee of the Board of Directors. The Company s corporate security team reports directly to the Chief Information Officer. Our Chief Information Officer has more than thirty years of experience managing communications networks, data centers, information technology teams, systems administration, and cybersecurity in the media and advertising industry. Our corporate security team is similarly composed of seasoned professionals with significant experience in the field. The Chief Information Officer regularly informs the Company s senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. The corporate security team has a broad range of experience selecting, deploying, and operating cybersecurity technologies initiatives and seek to ensure that each team stays educated on emerging technologies and threats.

Company Information