Sinclair, Inc. - (SBGI)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Sinclair maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated within the Company’s enterprise risk management system and disclosure committee. The program addresses the corporate information technology environment, third-party service providers and customer-facing products and applications.
The Company’s Chief Information Security Officer is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board, the audit committee and disclosure committee. Our Chief Information Security Officer has over a decade of experience leading cybersecurity oversight, and others on our IT security team have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification.
We have continued to expand investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. At the management level, our IT security team identifies risks by regularly monitoring alerts, meeting to discuss threat levels, trends, and remediation and immediately informs the Chief Information Security Officer, whom leads the IT security team, upon the occurrence of any material event. The processes used to assess the risk level include preparing a monthly cyber scorecard, regularly collecting data on cybersecurity threats and risk areas and conducting an annual risk assessment. To assure risks are reduced and maintained, we conduct periodic external penetration tests, red team testing, and maturity testing to assess our processes and procedures and the threat landscape. We regularly test defenses by performing simulations and drills at both a
44
technical level (including penetration tests) and by reviewing our operational policies and procedures with third-party experts. We view cybersecurity as a shared responsibility throughout the Company, and we periodically perform simulations and tabletop exercises at technical and management levels and incorporate external resources and advisors as needed. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. All employees are required to complete cybersecurity training at least once a year and have access to more frequent cybersecurity online training. We also require employees in certain roles to complete additional role-based, specialized cybersecurity training. We utilize our Internal Audit team to assess the design and operating effectiveness of our internal controls, including those that relate to our IT security environment. Further, we maintain various cyber insurance policies and believe we are adequately covered in the event we experience a cybersecurity breach.
In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. Our Internal Audit team conducts an annual review of third-party hosted applications with a specific focus on any sensitive data shared with third parties. The internal business owners of the hosted applications are required to document user access reviews at least annually and provide from the vendor a System and Organization Controls ("SOC") 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with the use of third-party providers is part of our overall cybersecurity risk management framework.
The Board oversees Sinclair’s cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The Company's Chief Information Security Officer briefs the Board on the effectiveness of Sinclair’s cyber risk management program, typically on a quarterly basis. In addition, cybersecurity risks are reviewed by the Board, at least annually, as part of the Company’s corporate risk management process.
We face a number of cybersecurity risks in connection with our business. We have in the past experienced threats to and breaches of our data and systems, including ransomware, malware and computer virus attacks, including a ransomware attack in October 2021 which had a material adverse impact on our business strategy, results of operations or financial condition to date. For more information about the cybersecurity risks we face and have experienced, see the risk factor entitled “We have experienced a cyber security breach in the past and may be vulnerable to future security breaches, data privacy, and other information technology failures that could have a material adverse effect on our financial performance and operating results and disrupt our operations” within Item 1A- Risk Factors.