LEE ENTERPRISES, Inc 10-K Cybersecurity GRC - 2025-11-26

Page last updated on November 26, 2025

LEE ENTERPRISES, Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-26 11:21:13 EST.

Company Summary

Lee Enterprises is a provider of local news, information and advertising.

Filings

10-K filed on 2025-11-26

LEE ENTERPRISES, Inc filed a 10-K at 2025-11-26 11:21:13 EST
Accession Number: 0000058361-25-000040

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C - Cybersecurity" of this Annual Report. Our possession and use of personal information and the use of payment cards by our customers present risks and expenses that could harm our business. Unauthorized access to or disclosure or manipulation of such data, whether through breach of our network security or otherwise, could expose us to liabilities and costly litigation and damage our reputation. Our online systems store and process confidential subscriber and other sensitive data, such as names, email addresses, addresses, and other personal information. Therefore, maintaining our network security is critical. Additionally, we depend on the security of our third-party service providers. Unauthorized use of or inappropriate access to our, or our third-party service providers' networks, computer systems and services could potentially jeopardize the security of confidential information, including payment card (credit or debit) information, of our customers. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and often are not recognized until launched against a target, we or our third-party service providers may be unable to anticipate these techniques or to implement adequate preventative measures. A party that is able to circumvent our security measures could misappropriate our proprietary information or the information of our customers or users, cause interruption in our operations, or damage our computers or those of our customers or users. As a result of any such breaches, customers or users may assert claims of liability against us and these activities may subject us to legal claims, adversely impact our reputation, and interfere with our ability to provide our products and services, all of which may have an adverse effect on our business, financial condition and results of operations. The coverage and limits of our insurance policies may not be adequate to reimburse us for losses caused by security breaches. A significant number of our customers authorize us to bill their payment card accounts directly for all amounts charged by us. These customers provide payment card information and other personally identifiable information which, depending on the particular payment plan, may be maintained to facilitate future payment card transactions. Under payment card rules and our contracts with our card processors, if there is a breach of payment card information that we store, we could be liable to the banks that issue the payment cards for their related expenses and penalties. In addition, if we fail to follow payment card industry data security standards, even if there is no compromise of customer information, we could incur significant fines or lose our ability to give our customers the option of using payment cards. If we were unable to accept payment cards, our business would be seriously harmed. There can be no assurance that any security measures we, or our third-party service providers, take will be effective in preventing a data breach. We may need to expend significant resources to protect against security breaches or to address problems caused by breaches. If an actual or perceived breach of our security occurs, the perception of the effectiveness of our security measures could be harmed and we could lose customers or users. Failure to protect confidential customer data or to provide customers with adequate notice of our privacy policies could also subject us to liabilities imposed by United States federal and state regulatory agencies or courts. We could also be subject to evolving state laws that impose data breach notification requirements, specific data security obligations, or other consumer privacy-related requirements. Our failure to comply with any of these laws or regulations may have an adverse effect on our business, financial condition and results of operations. On February 3, 2025, we experienced a Cyber Incident that disrupted certain IT systems and resulted in unauthorized access to certain files. The Cyber Incident had a significant negative impact on our 2025 operating results. Various revenue lines were impacted, certain operating expenses were higher than they were prior to the incident, and many projects underway were significantly delayed. For further discussion concerning ongoing litigation related to the Cyber Incident, see "Note 19, Commitments and Contingencies," to the consolidated financial statements included in Item 8 of Part II of this Annual Report. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY Processes for Assessing, Identifying, and Managing Cybersecurity Risks The Company has established processes to assess, identify, and manage material risks arising from cybersecurity threats (as defined in Item 106(a) of Regulation S-K). These processes are integrated into the Company's' overall risk management system. Specifically: - The addition of an experienced Chief Information Security Officer ("CISO") with over 25 years of experience to lead the IT Cybersecurity and Compliance team. - Yearly risk assessment designed to help identify material cybersecurity risks to our information systems (as defined in Item 106(a) of Regulation S-K) and data. - A security incident response team that is responsible for managing our cybersecurity risk, security controls, response, and reporting cybersecurity incide nts (as defined in Item 106(a) of Regulation S-K). - A cyber and data security incident response plan with policies and procedures for identifying, managing, and recovering from cybersecurity incidents, including escalating tiers of notification and reporting depending on an incident's nature and severity. - The use of third-party service providers, where appropriate, to manage, assess, test, and assist with aspects of our security controls, such as: ◦ 24/7 Security Operations Center Managed Services ("SOC") to monitor our cyber environment, correlate logs from all technology assets to identify potential signs of compromise and perform threat hunt exercises. ◦ Enterprise-grade email security system managed services. ◦ Perform penetration tests, vulnerability assessments, and vulnerability scans of our customer-facing sites, among others. ◦ Prevention of denial-of-service attacks - Cybersecurity insurance designed to reduce the risk of loss resulting from cybersecurity incidents. - Policies and procedures related to cybersecurity matters, including but not limited to Acceptable Standards of Use of Technology Systems, Confidential/Sensitive Information and Credit Card Handling Policy, encryption standards, antivirus protection, wireless and remote access, multi-factor authentication, access and change control, and physical security. - Employee cybersecurity awareness by performing ongoing phishing exercises, and mandatory privacy and cybersecurity training (including spear phishing and other awareness training) for employees. Material Effects of Cybersecurity Threats On February 3, 2025, we experienced a systems outage caused by a cybersecurity attack by threat actors who unlawfully accessed our network, encrypted critical applications, and exfiltrated certain files (herein defined as the "Cyber Incident"). Upon discovery, we promptly activated our incident response plan, engaging both internal teams and third-party cybersecurity experts. During the year ended September 28, 2025, we incurred $10.5 million loss of cash flows related to the Cyber Incident. Approximately $3.7 million of this was incurred expenses that are recognized in "Restructuring and Other" in the Consolidated Statements of (Loss) Income and Comprehensive (Loss) Income. We have filed insurance claims for the remaining $6.8 million to cover business interruption and other costs. The Cyber Incident remains under legal and forensic investigation, including evaluation of the extent and potential risk related to unauthorized access to sensitive data. The incident had a significant negative impact on our 2025 operating results. Various revenue lines were impacted, certain operating expenses were higher than they were prior to the incident, and many projects underway were significantly delayed. For a description of the risks related to cybersecurity that may materially affect us and how they may do so, see the "Risk Factors-Risks Related to Cybersecurity" section of this Report. GOVERNANCE Board of Directors Oversight The Board of Directors plays a crucial role in overseeing our management of cybersecurity risks. The Audit and Risk Management Committee is specifically tasked with this responsibility, and it regularly reports to our Board regarding its activities, including those related to cybersecurity risk management. Our Board also receives periodic briefings from management on our cybersecurity risk management program, including presentations on cybersecurity topics from our Chief Information Officer, internal information security team, and third-party experts. These briefings cover the current threat landscape, ongoing cybersecurity initiatives, and our response to significant incidents. Management's Role in Cybersecurity Risk Management Management is actively involved in assessing and managing material risks from cybersecurity threats. The following processes are in place: - Responsible Positions/Committees: The Chief Information Officer, and Chief Information Security Officer are responsible for assessing and managing cybersecurity risks. The individuals in these roles possess extensive expertise in cybersecurity. Specifically, the Chief Information Officer has over 25 years in Information Technology across multiple industries, and the Chief Information Security Officer has over 25 years in Security, Risk, Audit, and Compliance across various sectors, including both public and private. - Monitoring and Response Processes: We have established processes to inform and monitor cybersecurity incidents for prevention, detection, and resolution using a 24/7 third-party SOC Managed Service. The SOC is responsible for providing alerts, updates, and remediation services as needed by monitoring all technology assets for potential signs of compromise and conducting threat hunt exercises. - Reporting to the Board: Information about cybersecurity risks is regularly reported to the Board of Directors or its relevant committee. This reporting includes updates on our cybersecurity risk profile, significant incidents, and the effectiveness of mitigation strategies.
ITEM 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY Processes for Assessing, Identifying, and Managing Cybersecurity Risks The Company has established processes to assess, identify, and manage material risks arising from cybersecurity threats (as defined in Item 106(a) of Regulation S-K). These processes are integrated into the Company's' overall risk management system. Specifically: - The addition of an experienced Chief Information Security Officer ("CISO") with over 25 years of experience to lead the IT Cybersecurity and Compliance team. - Yearly risk assessment designed to help identify material cybersecurity risks to our information systems (as defined in Item 106(a) of Regulation S-K) and data. - A security incident response team that is responsible for managing our cybersecurity risk, security controls, response, and reporting cybersecurity incide nts (as defined in Item 106(a) of Regulation S-K). - A cyber and data security incident response plan with policies and procedures for identifying, managing, and recovering from cybersecurity incidents, including escalating tiers of notification and reporting depending on an incident's nature and severity. - The use of third-party service providers, where appropriate, to manage, assess, test, and assist with aspects of our security controls, such as: ◦ 24/7 Security Operations Center Managed Services ("SOC") to monitor our cyber environment, correlate logs from all technology assets to identify potential signs of compromise and perform threat hunt exercises. ◦ Enterprise-grade email security system managed services. ◦ Perform penetration tests, vulnerability assessments, and vulnerability scans of our customer-facing sites, among others. ◦ Prevention of denial-of-service attacks - Cybersecurity insurance designed to reduce the risk of loss resulting from cybersecurity incidents. - Policies and procedures related to cybersecurity matters, including but not limited to Acceptable Standards of Use of Technology Systems, Confidential/Sensitive Information and Credit Card Handling Policy, encryption standards, antivirus protection, wireless and remote access, multi-factor authentication, access and change control, and physical security. - Employee cybersecurity awareness by performing ongoing phishing exercises, and mandatory privacy and cybersecurity training (including spear phishing and other awareness training) for employees. Material Effects of Cybersecurity Threats On February 3, 2025, we experienced a systems outage caused by a cybersecurity attack by threat actors who unlawfully accessed our network, encrypted critical applications, and exfiltrated certain files (herein defined as the "Cyber Incident"). Upon discovery, we promptly activated our incident response plan, engaging both internal teams and third-party cybersecurity experts. During the year ended September 28, 2025, we incurred $10.5 million loss of cash flows related to the Cyber Incident. Approximately $3.7 million of this was incurred expenses that are recognized in "Restructuring and Other" in the Consolidated Statements of (Loss) Income and Comprehensive (Loss) Income. We have filed insurance claims for the remaining $6.8 million to cover business interruption and other costs. The Cyber Incident remains under legal and forensic investigation, including evaluation of the extent and potential risk related to unauthorized access to sensitive data. The incident had a significant negative impact on our 2025 operating results. Various revenue lines were impacted, certain operating expenses were higher than they were prior to the incident, and many projects underway were significantly delayed. For a description of the risks related to cybersecurity that may materially affect us and how they may do so, see the "Risk Factors-Risks Related to Cybersecurity" section of this Report. GOVERNANCE Board of Directors Oversight The Board of Directors plays a crucial role in overseeing our management of cybersecurity risks. The Audit and Risk Management Committee is specifically tasked with this responsibility, and it regularly reports to our Board regarding its activities, including those related to cybersecurity risk management. Our Board also receives periodic briefings from management on our cybersecurity risk management program, including presentations on cybersecurity topics from our Chief Information Officer, internal information security team, and third-party experts. These briefings cover the current threat landscape, ongoing cybersecurity initiatives, and our response to significant incidents. Management's Role in Cybersecurity Risk Management Management is actively involved in assessing and managing material risks from cybersecurity threats. The following processes are in place: - Responsible Positions/Committees: The Chief Information Officer, and Chief Information Security Officer are responsible for assessing and managing cybersecurity risks. The individuals in these roles possess extensive expertise in cybersecurity. Specifically, the Chief Information Officer has over 25 years in Information Technology across multiple industries, and the Chief Information Security Officer has over 25 years in Security, Risk, Audit, and Compliance across various sectors, including both public and private. - Monitoring and Response Processes: We have established processes to inform and monitor cybersecurity incidents for prevention, detection, and resolution using a 24/7 third-party SOC Managed Service. The SOC is responsible for providing alerts, updates, and remediation services as needed by monitoring all technology assets for potential signs of compromise and conducting threat hunt exercises. - Reporting to the Board: Information about cybersecurity risks is regularly reported to the Board of Directors or its relevant committee. This reporting includes updates on our cybersecurity risk profile, significant incidents, and the effectiveness of mitigation strategies.

Company Information