Page last updated on February 27, 2026
Warner Bros. Discovery, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 17:20:35 EST.
Filings
10-K filed on 2026-02-27
Warner Bros. Discovery, Inc. filed a 10-K at 2026-02-27 17:20:35 EST
Accession Number: 0001437107-26-000020
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity). However, our procedures may not be sufficient to adequately mitigate the negative impacts of a cybersecurity breach or adverse event and we may not have adequate insurance coverage to compensate us for any losses that may occur. Additionally, applicable data privacy laws and regulations may require us to notify relevant regulators and/or consumers of cybersecurity incidents, or to implement other requirements, any of which could be costly. If our or our service providers' information security systems or data are compromised, such compromises could result in a disruption of services or a reduction of the revenues we are able to generate from such services, damage to our brands and reputation, a loss of confidence in the security of our offerings and services, and significant legal, regulatory and financial exposure, each of which could potentially have an adverse effect on our business, financial condition and results of operations. 30 Our business, financial condition and results of operations may be negatively impacted by the outcome of uncertainties related to litigation. From time to time, we are subject to a number of legal claims, regulatory investigations, litigation actions (asserted individually and/or on behalf of a class), and/or arbitration proceedings, both in the U.S. and in foreign countries, including, at any particular time, claims relating to antitrust, intellectual property, employment, wage and hour, consumer privacy, free speech, regulatory and tax proceedings, contractual and commercial disputes, and the production, distribution, and licensing of our content. We also spend substantial resources complying with various government standards, including any related investigations and litigation. We may incur significant expenses defending such suits or government charges and may be required to pay amounts or otherwise change our operations in ways that could materially adversely affect our business, financial condition and results of operations. This could result in an increase in our cost for defense or settlement of claims or indemnification obligations if we were to be found liable in excess of our historical experience. Even if we believe a claim is without merit, and/or we ultimately prevail, defending against the claim could be time-consuming and costly and divert our management's attention and resources away from our business. In addition, our insurance may not be adequate to protect us from all significant expenses related to pending and future claims and our current levels of insurance may not be available in the future at commercially reasonable prices. Any of these factors could adversely affect our business, financial condition and results of operations. Global economic conditions and other global events may have an adverse effect on our business. Our business is significantly affected by prevailing economic conditions and levels of consumer discretionary spending. A downturn in global economic conditions may negatively affect our current and potential customers, particularly advertisers whose expenditures are sensitive to general economic conditions, vendors and others with whom we do business and their ability to satisfy their obligations to us. Inflationary conditions or an increase in price levels generally increases our content production costs and other costs of doing business, which could negatively affect our profitability. Further, a high interest rate environment, whether arising out of a policy response to inflationary conditions or otherwise, increases the costs of our securitization portfolio, which may also negatively affect our results of operations. Decreases in consumer discretionary spending in the U.S. and other countries where our content is distributed may cause a decrease in cable television subscriptions, subscriptions to our streaming products, or movie theater attendance to view our feature films, among others, all of which may negatively affect our revenues and results of operations. In addition, our business and operations has been, and in the future could be, disrupted or impacted by other global events, including political, social, or economic unrest, terrorism, hostilities, natural disasters such as earthquakes, or pandemics. For example, the COVID-19 pandemic had numerous effects on our business, including a decrease in advertising revenues, a postponement of significant live events, and reduced movie theater attendance. Other global events in the future could disrupt our business and operations in unpredictable ways. The market price of our common stock has been highly volatile and may continue to be volatile due, in part, to circumstances beyond our control. The market price of our common stock has fluctuated, and may continue to fluctuate, due to many factors, some of which may be beyond our control. These factors include, without limitation: - actual or anticipated variations in our financial and operating results; - changes in our estimates, guidance or business plans; - variations between our actual results and expectations of securities analysts, or changes in financial estimates and recommendations by securities analysts; - market sentiment about our industry in general or our business in particular, including our level of debt, our leverage ratio, credit ratings, and our ability to effectively compete in the categories and industries in which we operate; - sales of our stock in the public market by our stockholders, some of whom, together with their affiliates, hold large amounts of our stock; - the activities, operating results or stock price of our competitors, or other industry participants; - spending on domestic and foreign television and digital advertising; - the announcement or completion of, or interim developments or publicity related to, significant transactions by us (such as the PSKY Merger) or a competitor; - overall general market fluctuations and other events affecting the stock market generally; and 31 - the economic and political conditions in the U.S. and internationally, as well as other factors described in this Item 1A. Risk Factors. Some of these factors may adversely impact the price of our common stock, regardless of our operating performance. Further, volatility in the price of our common stock may negatively impact our business, including by limiting our financing options for acquisitions and other business expansion. Our participation in multiemployer defined benefit pension plans could subject us to liabilities that could adversely affect our business, financial condition and results of operations. We contribute to various multiemployer defined benefit pension plans (the "multiemployer plans") under the terms of collective bargaining agreements that cover certain of our union-represented employees which could subject us to liabilities in certain circumstances. The amount of funds we may be obligated to contribute to multiemployer plans in the future cannot be estimated, as these amounts are based on future levels of work of the union-represented employees covered by the multiemployer plans, investment returns and the funding status of such plans. As of December 31, 2025, we were an employer that provided more than 5% of total contributions to certain of the multiemployer plans in which we participate. If we choose to stop participating or substantially reduce participation in certain of these plans, we may be subject to a withdrawal liability. In addition, actions taken by any other participating employer that lead to a deterioration of the financial health of a multiemployer plan may result in the unfunded obligations of the multiemployer plan being borne by its remaining participating employers, including us. To the extent a multiemployer plan is underfunded or in endangered, seriously endangered or critical status, additional required contributions and benefit reductions may apply. We currently contribute to multiemployer plans that are underfunded, and, as such, under federal law we may be subject to substantial liabilities in the event of a complete or partial withdrawal from, or a voluntary or involuntary withdrawal from, or termination of, such plans. There can be no assurance that we will not be subject to liabilities in the future due to the foregoing or other circumstances that may arise in connection with these plans or that we can adequately mitigate these costs, any of which could materially adversely affect our business, financial condition and results of operations. ITEM 1B. Unresolved Staff Comments. None. ITEM 1C. Cybersecurity. We have a cybersecurity program to assess and manage risks to the confidentiality, integrity, and availability of our data, networks and technology assets across WBD. Our board of directors oversees risk management at WBD and has delegated functional oversight of cybersecurity and information technology risks to our board of directors' audit committee (the "Audit Committee"). Our Chief Information Security Officer ("CISO") is responsible for the management of such risks and oversees a global organization whose responsibilities include proactively managing and monitoring information and content security, cybersecurity risk, and processes to enable secure and resilient access to, and use of, WBD products and services. Risk Management and Strategy We have a cybersecurity risk management strategy for safeguarding our digital assets that includes both technical and non-technical cybersecurity controls. Our cybersecurity risk management processes are designed to evolve in response to changes in our business, technological environment, and the broader threat landscape and are aligned and integrated into our overall enterprise risk management approach. Our multi-layered technical defense involves a series of protective measures across various levels of our technological environment. This includes fortifying our network perimeter through intrusion detection and prevention systems, securing individual devices with antivirus solutions and endpoint detection, implementing network security measures, and ensuring the resilience of applications. In addition to these technical security solutions, we also leverage non-technical methods, such as promoting a cybersecurity-conscious culture throughout WBD which includes mandatory annual cybersecurity training for all employees, a regular cadence of cybersecurity messaging to our employees, and frequent phishing simulations. Further, we engage independent third parties to conduct annual internal and external penetration testing and independent assessments of our cybersecurity risk management practices using the National Institute of Standards and Technology's cybersecurity framework and other leading industry practices as guidelines . We also engage an independent third party to conduct a biennial cybersecurity maturity assessment to evaluate the maturity of our entire cybersecurity program. We also invest in cybersecurity incident detection and response. Our Cybersecurity Operations Center provides continuous threat monitoring and anomaly detection that is intended to prevent or minimize damage from a cybersecurity attack. We have a Cybersecurity Incident Response Plan that establishes procedures, roles, responsibilities, and communication protocols for WBD executive management and technical staff in the event of a cybersecurity incident. We periodically review and enhance our cybersecurity incident response processes and conduct exercises involving relevant stakeholders to assess preparedness and response effectiveness. We test the efficacy of the Cybersecurity Incident Response Plan and assess our response capabilities by conducting annual tabletop exercises that simulate cybersecurity threat scenarios. 32 We have ongoing processes to identify and assess cybersecurity risks associated with current and prospective third-party service providers. Our third-party cybersecurity risk management processes are risk-based and ongoing and are designed to assess cybersecurity considerations throughout the vendor relationship lifecycle. These processes include a vendor cybersecurity compliance assessment at the time of onboarding, contract renewal and/or as needed in the event of a cybersecurity incident affecting such third-party vendor. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and notify us in the event of a cybersecurity incident that impacts us. We have established cybersecurity information sharing and collaboration practices with both government agencies and industry partners, which we believe enhances our overall cybersecurity resilience. We periodically experience cybersecurity incidents, but, as of December 31, 2025, we are not aware of any such incidents that have materially impacted or are reasonably likely to materially impact our business, financial condition or results of operations. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced undetected cybersecurity incidents or will not discover additional information about previously detected events. See Item 1A, "Risk Factors" for details on the risks from cybersecurity threats that we face. Governance We have established a cybersecurity governance framework designed to provide effective oversight, clear accountability and appropriate escalation across WBD. Our cybersecurity program is led by our CISO, who is responsible for the design, implementation and operation of controls to prevent, detect, mitigate and remediate cybersecurity threats. The CISO assesses and monitors our cybersecurity posture through ongoing engagement with our content and information security team and provides regular reporting to WBD executive management and the Audit Committee in accordance with established governance and escalation protocols. WBD executive management is engaged in the governance of our cybersecurity program through defined oversight, reporting and escalation mechanisms. Our Chief Financial Officer, Chief Legal Officer, Chief Audit and Risk Officer and Chief Information Officer receive regular updates regarding cybersecurity risks, incidents and program initiatives and participate in governance, prioritization and escalation decisions as appropriate to their respective enterprise responsibilities. Our board of directors oversees our overall enterprise risk management approach, including risks related to cybersecurity and information technology. Our board of directors has delegated primary oversight responsibility for cybersecurity and information technology risks to the Audit Committee. The Audit Committee receives regular reports from our CISO, at least quarterly, regarding our cybersecurity risk posture, significant developments in the threat landscape, the effectiveness of controls, and progress on initiatives to strengthen and enhance our cybersecurity program. The Audit Committee also receives updates outside of the regular reporting cadence when warranted by significant events, emerging risks or regulatory developments and may devote additional meeting time to in-depth review of cybersecurity matters or education on relevant topics. The Chair of the Audit Committee provides readouts to our board of directors on matters, including cybersecurity matters, reviewed at meetings of the Audit Committee. We maintain a Cybersecurity Incident Response Plan that defines incident severity thresholds, escalation protocols and reporting requirements and facilitating coordination across multiple parts of the Company. We also have processes in place designed to ensure that decisions regarding public disclosure and reporting of cybersecurity incidents can be made in a timely manner. Cybersecurity incidents that meet established escalation criteria are reported to WBD executive management and as appropriate, to the Audit Committee, to support timely oversight and response. Our cybersecurity governance framework also includes ongoing assessment and testing of controls and response capabilities, including tabletop exercises, penetration testing and third-party assessments, to help evaluate program effectiveness and inform continuous improvement. Our CISO brings extensive experience leading global cybersecurity and information security programs across complex public- and private-sector organizations, with expertise in cybersecurity risk management, data protection and regulatory compliance, and holds industry-recognized cybersecurity certifications.
ITEM 1C. Cybersecurity. We have a cybersecurity program to assess and manage risks to the confidentiality, integrity, and availability of our data, networks and technology assets across WBD. Our board of directors oversees risk management at WBD and has delegated functional oversight of cybersecurity and information technology risks to our board of directors' audit committee (the "Audit Committee"). Our Chief Information Security Officer ("CISO") is responsible for the management of such risks and oversees a global organization whose responsibilities include proactively managing and monitoring information and content security, cybersecurity risk, and processes to enable secure and resilient access to, and use of, WBD products and services. Risk Management and Strategy We have a cybersecurity risk management strategy for safeguarding our digital assets that includes both technical and non-technical cybersecurity controls. Our cybersecurity risk management processes are designed to evolve in response to changes in our business, technological environment, and the broader threat landscape and are aligned and integrated into our overall enterprise risk management approach. Our multi-layered technical defense involves a series of protective measures across various levels of our technological environment. This includes fortifying our network perimeter through intrusion detection and prevention systems, securing individual devices with antivirus solutions and endpoint detection, implementing network security measures, and ensuring the resilience of applications. In addition to these technical security solutions, we also leverage non-technical methods, such as promoting a cybersecurity-conscious culture throughout WBD which includes mandatory annual cybersecurity training for all employees, a regular cadence of cybersecurity messaging to our employees, and frequent phishing simulations. Further, we engage independent third parties to conduct annual internal and external penetration testing and independent assessments of our cybersecurity risk management practices using the National Institute of Standards and Technology's cybersecurity framework and other leading industry practices as guidelines . We also engage an independent third party to conduct a biennial cybersecurity maturity assessment to evaluate the maturity of our entire cybersecurity program. We also invest in cybersecurity incident detection and response. Our Cybersecurity Operations Center provides continuous threat monitoring and anomaly detection that is intended to prevent or minimize damage from a cybersecurity attack. We have a Cybersecurity Incident Response Plan that establishes procedures, roles, responsibilities, and communication protocols for WBD executive management and technical staff in the event of a cybersecurity incident. We periodically review and enhance our cybersecurity incident response processes and conduct exercises involving relevant stakeholders to assess preparedness and response effectiveness. We test the efficacy of the Cybersecurity Incident Response Plan and assess our response capabilities by conducting annual tabletop exercises that simulate cybersecurity threat scenarios. 32 We have ongoing processes to identify and assess cybersecurity risks associated with current and prospective third-party service providers. Our third-party cybersecurity risk management processes are risk-based and ongoing and are designed to assess cybersecurity considerations throughout the vendor relationship lifecycle. These processes include a vendor cybersecurity compliance assessment at the time of onboarding, contract renewal and/or as needed in the event of a cybersecurity incident affecting such third-party vendor. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and notify us in the event of a cybersecurity incident that impacts us. We have established cybersecurity information sharing and collaboration practices with both government agencies and industry partners, which we believe enhances our overall cybersecurity resilience. We periodically experience cybersecurity incidents, but, as of December 31, 2025, we are not aware of any such incidents that have materially impacted or are reasonably likely to materially impact our business, financial condition or results of operations. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced undetected cybersecurity incidents or will not discover additional information about previously detected events. See Item 1A, "Risk Factors" for details on the risks from cybersecurity threats that we face. Governance We have established a cybersecurity governance framework designed to provide effective oversight, clear accountability and appropriate escalation across WBD. Our cybersecurity program is led by our CISO, who is responsible for the design, implementation and operation of controls to prevent, detect, mitigate and remediate cybersecurity threats. The CISO assesses and monitors our cybersecurity posture through ongoing engagement with our content and information security team and provides regular reporting to WBD executive management and the Audit Committee in accordance with established governance and escalation protocols. WBD executive management is engaged in the governance of our cybersecurity program through defined oversight, reporting and escalation mechanisms. Our Chief Financial Officer, Chief Legal Officer, Chief Audit and Risk Officer and Chief Information Officer receive regular updates regarding cybersecurity risks, incidents and program initiatives and participate in governance, prioritization and escalation decisions as appropriate to their respective enterprise responsibilities. Our board of directors oversees our overall enterprise risk management approach, including risks related to cybersecurity and information technology. Our board of directors has delegated primary oversight responsibility for cybersecurity and information technology risks to the Audit Committee. The Audit Committee receives regular reports from our CISO, at least quarterly, regarding our cybersecurity risk posture, significant developments in the threat landscape, the effectiveness of controls, and progress on initiatives to strengthen and enhance our cybersecurity program. The Audit Committee also receives updates outside of the regular reporting cadence when warranted by significant events, emerging risks or regulatory developments and may devote additional meeting time to in-depth review of cybersecurity matters or education on relevant topics. The Chair of the Audit Committee provides readouts to our board of directors on matters, including cybersecurity matters, reviewed at meetings of the Audit Committee. We maintain a Cybersecurity Incident Response Plan that defines incident severity thresholds, escalation protocols and reporting requirements and facilitating coordination across multiple parts of the Company. We also have processes in place designed to ensure that decisions regarding public disclosure and reporting of cybersecurity incidents can be made in a timely manner. Cybersecurity incidents that meet established escalation criteria are reported to WBD executive management and as appropriate, to the Audit Committee, to support timely oversight and response. Our cybersecurity governance framework also includes ongoing assessment and testing of controls and response capabilities, including tabletop exercises, penetration testing and third-party assessments, to help evaluate program effectiveness and inform continuous improvement. Our CISO brings extensive experience leading global cybersecurity and information security programs across complex public- and private-sector organizations, with expertise in cybersecurity risk management, data protection and regulatory compliance, and holds industry-recognized cybersecurity certifications.
Company Information
| Name | Warner Bros. Discovery, Inc. |
| CIK | 0001437107 |
| SIC Description | Cable & Other Pay Television Services |
| Ticker | WBD - Nasdaq |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 31 |