TEGNA INC - (TGNA)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

In today’s digital world, protecting our systems and data from cyberattacks and unintentional or malicious breaches is a priority for our leadership and Board of Directors. Our cybersecurity team is overseen at a high level by our Senior Vice President and Chief Technology Officer, who is directly supported by our Vice President of IT and Station Operations and our Senior Director of IT Security and Compliance. This leadership team has decades of experience leading cybersecurity oversight and managing our organization’s cybersecurity risks. Team members who support our information security program have relevant educational, industry experience, and technical certifications. The technical leadership team provides quarterly and annual cybersecurity updates to our Board of Directors, briefing the Board on our cyber program, industry trends and risks, and any incidents the Company has experienced. Directors with experience in cybersecurity and technology play crucial roles in strategy, innovation, and oversight of the Company’s technology investments. The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats.

TEGNA uses the National Institute of Standards and Technology (NIST) Cybersecurity Framework and has clearly defined policies and standards for all employees and technical systems. TEGNA’s internal Cybersecurity Council conducts quarterly meetings to discuss risks, processes, controls, strategy, and response. We use external subject matter experts to provide independent assessments of the cybersecurity program. Following the NIST Cybersecurity Framework, TEGNA utilizes internal reporting, policies, software, training programs and hardware solutions to protect and monitor our environment, including multifactor authentication on all critical systems, firewalls, intrusion, detection and prevention systems, vulnerability and penetration testing and identity management systems. Our network is continuously monitored using prevailing industry tools, and our cybersecurity team promptly investigates any anomalies. TEGNA has an extensive patching and software update program, and performance metrics are reported to our Board. All new employees are required to take a cybersecurity training course, and we have mandatory quarterly training modules for all employees.

We maintain third-party vendor policies and practices to identify, prioritize, and mitigate and remediate third party risk. Third-party access is narrowly limited in scope, granting access only to necessary systems with the lowest level of privileges required. Third-party access is monitored, and accounts are reviewed and attested to on a quarterly basis. TEGNA relies on third parties to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful.

TEGNA has documented and tested incident response plans, which outline the steps to be followed from incident detection to containment, recovery, and notification, including notifying functional areas, as well as senior leadership and the Board, as appropriate. With assistance from third-party cybersecurity experts, TEGNA regularly conducts cybersecurity tabletop exercises with leadership and technical teams. TEGNA conducts compliance reviews of all cybersecurity policies and procedures at least annually and utilizes an outside cybersecurity firm to evaluate the overall program. Business units are required to attest to applicable TEGNA security controls monthly.

Notwithstanding the extensive approach TEGNA takes to cybersecurity, we face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have from time to time experienced threats to our information systems and data. For more information about the cybersecurity risks we face, see the risk factor entitled “Our efforts to minimize the likelihood and impact of adverse cybersecurity incidents and to protect our technology and confidential information may not be successful and our business could be negatively affected” in Item 1A. “Risk Factors”.