Clear Channel Outdoor Holdings, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Clear Channel Outdoor Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 21:18:37 EST.

Filings

10-K filed on 2026-02-26

Clear Channel Outdoor Holdings, Inc. filed a 10-K at 2026-02-26 21:18:37 EST
Accession Number: 0001334978-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company maintains a robust cybersecurity program that promotes confidentiality, integrity and availability of our corporate and customer resources throughout the life cycle of our out-of-home service offerings. Under the oversight of the Audit Committee of our Board, as more fully explained below, and with the support of the Company's compliance function and the Company's internal and external audit functions, the Company operates an enterprise-wide risk management governance framework that sets standards and provides guidance for the identification, assessment, monitoring and control of the most significant risks facing the Company, including cybersecurity. Our enterprise risk management process is guided by the COSO Enterprise Risk Management Framework, which incorporates the three lines of defense model. In addition, we leverage our global Compliance department, legal teams, cybersecurity teams and privacy teams as key components of our overall cybersecurity program. Our cybersecurity program includes comprehensive technology and risk oversight programs designed to ensure that our technology systems and cybersecurity education programs are effective and that we are prepared to report and manage information security risks. Developed using collaboration and transparency principles, we maintain a suite of information and cybersecurity policies, standards and guides based on commonly adopted cybersecurity standards, frameworks and regulatory requirements, including publications from the National Institute of Standards and Technology and the Center for Information Security. Furthermore, we perform periodic evaluations of our security programs, information technology infrastructure and information security management systems through internal self-assessments and external independent consultations. In addition, we conduct regular security monitoring for internal and external threats to the confidentiality and integrity of our information assets, and our cybersecurity programs undergo periodic testing with the purpose of achieving swift and orderly restoration of business operations in the event of a cybersecurity incident. Cyber hygiene is integrated into our culture from employee onboarding and lasts throughout the employee life cycle, using various tools, such as frequent information security awareness messages and annual cybersecurity awareness training. As part of testing our programs, we regularly conduct internal simulated phishing campaigns. The Company also maintains comprehensive cyber insurance. However, such insurance may not be sufficient to cover all of our potential losses and may not continue to be available to us on acceptable terms, or at all. Communication of our cybersecurity values and expectations is extended to our third-party solutions through specific programs, which include monitoring and rating services and open-source intelligence risk assessments. In addition to conducting posture and intelligence reviews of our vendors, our cybersecurity teams conduct evaluations of critical vendors to assess security requirements, and we assess our service level agreements to monitor whether cyber controls and practices are integrated to the levels specified in our cybersecurity standards. We have experienced, and may in the future experience, whether directly or through our supply chain partners, cybersecurity incidents. While prior cybersecurity incidents have not had a material impact on the Company, future cybersecurity incidents, including breaches, could have a material impact on our business, operations and reputation. For additional information about the Company's cybersecurity risks, please refer to "Technology Risks" in Item 1A of this Annual Report on Form 10-K. Governance Our Board has delegated oversight of risks related to cybersecurity to the Audit Committee . The Audit Committee is, therefore, charged with reviewing our cybersecurity processes for assessing key strategic, operational and compliance risks. Our Chief Compliance Officer briefs the Audit Committee on cybersecurity risks at each of its meetings, which occur at least four times each year. These briefings include an assessment of cyber risks, an overview of the cyberthreat landscape, updates on cybersecurity incidents, and reports on our investments in cybersecurity risk mitigation strategies and technologies and related corporate governance. In addition, our Chief Technology Officer briefs the Audit Committee on cybersecurity risks at least annually. The Audit Committee then provides updates on significant cybersecurity matters to the Board periodically. A strong partnership exists between our information technology, enterprise security, internal audit and legal and compliance functions so that identified issues are addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required. Our Chief Compliance Officer is Lynn A. Feldman, the Company's Executive Vice President, Chief Legal and Administrative Officer and Corporate Secretary. Ms. Feldman has over 20 years of experience leading the legal and risk management departments of public companies. Her areas of responsibility cover privacy, cybersecurity risk and data protection; governance, including with respect to cybersecurity; and global legal compliance and reporting. For additional information about Ms. Feldman's experience, please refer to the " Information About Our Executive Officers " section in this Annual Report on Form 10-K. Our Chief Technology Officer, Nichole Boatsman, oversees the integration and security of the Company's digital products, infrastructure and all user-facing technology. Ms. Boatsman brings over 15 years of technology leadership experience spanning both consulting and in-house executive roles. Her career includes driving large-scale digital transformation, leading enterprise SaaS and data platform strategy, and building inclusive, high-performing teams across complex organizations. Our cybersecurity program is overseen by our Head of Cybersecurity, Louie Garcia. Mr. Garcia has almost 20 years of cybersecurity experience, spanning threat perspectives, cyber exercise development and training, enterprise vulnerability assessments, defensive and offensive network solutions, and operational evaluation of cyber products. Our business in Spain has a regional head of cybersecurity and a chief technology officer who oversee the business's cybersecurity program and report to the Company's senior management team, including the Chief Compliance Officer, on progress towards specific cybersecurity objectives.

Company Information