BOSTON OMAHA Corp 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

BOSTON OMAHA Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 16:20:05 EDT.

Filings

10-K filed on 2024-03-27

BOSTON OMAHA Corp filed an 10-K at 2024-03-27 16:20:05 EDT
Accession Number: 0001437749-24-009605

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including, confidential information that is proprietary, strategic or competitive in nature, and data related to financial and customer data ( Information Systems and Data ). While to date, we have not had a major cyber incident against our platforms, nor experienced significant data loss or any material financial losses related to cybersecurity attacks, it is possible that we could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the risk factor captioned Disruptions to or any breach of our information technology systems could disrupt our business operations which could have a material adverse effect on our business, prospects, results of operations, financial condition and/or cash flows. Our officers and employees and our IT vendors help identify, assess and manage our cybersecurity threats and risks and the unique needs of each of our billboard, surety insurance, broadband and other businesses and the various offices in which we operate. We manage, identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and risk profile using various methods including, for example: through the use of automated tools, including but not limited to tools for monitoring, geolocation, remote wiping, threat detection, intrusion detection and prevention, patch management, distributed denial of service (DDoS) protection and forensics conducting (directly or through third parties) regular audits and threat assessments for internal and external threats subscribing to reports and services that identify cybersecurity threats analyzing reports of threats and actors conducting vulnerability assessments to identify vulnerabilities evaluating our and our industry s risk profile and evaluating threats reported to us. We implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident response plans and procedures, disaster recovery/business continuity plans, risk assessments, implementation of security standards and certifications, encryption of data, network security controls, data segregation, access controls, physical security, asset management, tracking and disposal, systems monitoring, vendor risk management program, employee training and penetration testing. Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, cybersecurity risk is addressed as a component of our enterprise risk management program, and members of our management team and IT consultants work together to prioritize our risk management processes, mitigate cybersecurity threats that are more likely to lead to a material impact to our business, and report regularly to our board of directors on cybersecurity matters. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example managed cybersecurity service providers, threat intelligence service providers, dark web monitoring services, and other cybersecurity software providers. We use third-party service providers to perform a variety of functions throughout our business, including but not limited to application providers, hosting companies, contract manufacturing organizations and contract research organizations. We have a vendor management program to oversee, identify and manage cybersecurity risks associated with our use of these providers. The program includes a risk assessment for vendors that may include, depending on the vendor and nature of services being performed, security questionnaires, review of the vendor’s written security program, review of security assessments, audits and reports, vulnerability scans related to the vendor, security assessment calls with the vendor’s security personnel, and the imposition of certain contractual obligations on the vendor, among other elements, in accordance with the processes outlined in our internal vendor selection, management, and oversight process policy and other internal guidelines. More specifically, the level of assessment may depend on the following: the nature of the services provided and the data the vendors may collect, retain, and utilize, the sensitivity of the Information Systems and Data at issue, and the identity of the provider. Governance Our board of directors addresses our cybersecurity risk management as part of its general oversight function. Our cybersecurity risk assessment and management processes are implemented and maintained by various members of our management team and IT consultants, which includes individuals who have a diverse combination of relevant expertise, experience, education and training. Our team includes individuals with relevant experience in enterprise risk management and disclosure controls and procedures. Additionally, certain members of our team have experience managing cybersecurity programs and are specifically assigned cybersecurity oversight. Certain members of our management team are responsible for hiring appropriate employees and consultants, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management. Our cybersecurity incident management team, and other individuals as needed, work to help us mitigate and remediate cybersecurity incidents of which we are notified. In addition, our incident response processes include a procedure for reporting certain cybersecurity incidents to the board of directors. Commencing in 2024, our Audit and Risk Committee is taking the lead on behalf of the board of directors on oversight of our cybersecurity risk management program. 39 Table of Contents

Company Information