AMC ENTERTAINMENT HOLDINGS, INC. - (AMC)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

The Company recognizes the importance of developing, implementing, and maintaining cybersecurity measures to assess, identify, and manage material risks from cybersecurity (including cybersecurity threats associated with the use of third-party service providers), to safeguard our information systems, and to protect the confidentiality, integrity, and availability of the data on our information systems.

Managing Material Risks & Integrated Overall Risk Management

The Company has strategically integrated cybersecurity risk management into our broader risk management framework. Management has formed cross-functional risk and information security committees (the “Security Committees”) to initiate, develop, review and implement cybersecurity policies, procedures and training to mitigate cybersecurity risks. Our information technology (“IT”) cybersecurity leadership team works closely with our Security Committees and internal audit team to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs.

Risk Management Personnel

The Company’s senior IT leadership, comprised of the Chief Information Officers of both AMC and Odeon, and IT cybersecurity teams have the primary responsibility for assessing, monitoring, and managing, our cybersecurity programs. The Company’s senior IT leadership bring over fifty years of combined IT experience to their roles. Each

34

member of the Company’s IT cybersecurity leadership team, comprised of the AMC Sr. Director Cybersecurity and Network, the AMC Director Cybersecurity, the Odeon Group Head of Cyber, Risk and Operations and the AMC VP IT Operations, brings 20+ years of IT experience. The Company regularly invests in training on these teams, and key leadership positions hold CISSP certifications. Our senior IT leadership and IT cybersecurity team, with input as appropriate from the Security Committees, oversee our governance programs, tests our compliance with standards, remediate known risks, and direct employee training.

Monitoring Cybersecurity Incidents

The Security Committees are continually informed about the latest developments in cybersecurity, including potential threats and risk management techniques. The Security Committees, and in particular senior IT leadership, IT cybersecurity and internal audit members serving on the Security Committees, implement and oversee processes for the regular monitoring of our information systems. The Company follows the NIST framework to design and implement security processes, tools and procedures, and regular system audits identify and lead to remediation of potential vulnerabilities. In the event of a cybersecurity incident, senior IT leadership and the Security Committees are equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact, internal and external communication plans, and notification requirements.

Engagement of Consultants for Risk Management Services

Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages with a range of external experts to perform a variety of functions for the Company. These include, but are not limited to, cybermaturity audits, targeted ransomware assessment and table-top exercises, red and purple team attack simulations, internal penetration tests and other internal and external audits. These partnerships enable us to leverage specialized knowledge and insights into our cybersecurity strategies and processes.

Overseeing Third-Party Risk

Because we are aware of the risks associated with third-party service providers, the Company implements processes to oversee and manage these risks. The Company utilizes software products and services to monitor and protect the Company’s environment from possible third-party breaches impacting the Company’s environment. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-parties. Third-parties who have access to highly sensitive information due to services performed and data retained are subject to increased scrutiny.

Risks from Cybersecurity Threats

We have not experienced any cybersecurity incidents that we believe have materially affected, or are likely to materially affect, the Company.

Governance

Board of Directors and Audit Committee Oversight

Our board of directors (the “Board”) understands the critical nature of managing risks associated with cybersecurity threats. The Board has established robust oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats.

The audit committee of the Board (the “Audit Committee”) is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for overseeing these risks. Senior IT leadership regularly informs the Audit Committee, the Chief Financial Officer and other members of the Company’s senior leadership of cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company.

Management’s Role Managing Risk

Senior IT leadership play a pivotal role in managing cybersecurity risk and keeping the Audit Committee apprised of cybersecurity developments. Senior IT leadership provide comprehensive briefings to the Audit Committee on a periodic basis. These briefings encompass a broad range of topics, including:

current cybersecurity landscape and emerging threats;
status of ongoing cybersecurity initiatives and strategies;

35

learnings from any cybersecurity events; and
compliance with regulatory requirements and industry standards.

In addition to our scheduled meetings, the Audit Committee and senior IT leadership maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. The Company, at the direction of the Audit Committee, conducts periodic reviews of the Company’s cybersecurity posture and the effectiveness of its risk management strategies. These reviews help in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.