Liberty Media Corp - (LSXMA)
10-K Filing Date: February 28, 2024
Risk Management and Strategy
We are committed to protecting the security and integrity of our systems, networks, databases and applications and, as a result, have implemented processes designed to prevent, assess, identify, and manage material risks associated with cybersecurity threats. Liberty’s corporate level IT and cybersecurity functions assess, identify, and manage risks from cybersecurity threats at the corporate level, while Formula 1 operates its own cybersecurity function with oversight from Liberty.
Sirius XM Holdings, as a separate publicly traded company from Liberty, operates its own cybersecurity function. While primary oversight for Sirius XM Holdings rests with its board of directors and Audit Committee, we receive regular reporting from Sirius XM Holdings management and collaborate with those tasked with oversight to ensure risks are appropriately addressed.
Live Nation, an equity affiliate, as a separate publicly traded company from Liberty, operates its own cybersecurity function. Oversight for Live Nation’s cybersecurity functions rests with its board of directors, of which our CEO is the Chairman, in collaboration with Live Nation’s Global Data Governance Board and Audit Committee.
Cybersecurity risks are assessed as part of our enterprise risk assessment and risk management program and our cybersecurity risk management program is designed and assessed based on recognized frameworks, including the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF”).
We rely on a multidisciplinary team, including our information security function, legal department, management, and third-party consultants, as described further below, to identify, assess, and manage cybersecurity threats and risks. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, using manual and automated tools such as vulnerability scanning software, monitoring existing and emerging cybersecurity threats, analyzing reports of threats and threat actors, conducting scans of the threat environment, evaluating our industry’s risk profile, utilizing internal and external audits and assessments, and conducting threat and vulnerability assessments.
To manage and mitigate material risks from cybersecurity threats to our information systems and data, we implement and maintain various technical, physical and organizational measures, processes and policies. These measures include risk assessments, incident detection and response, vulnerability management, disaster recovery and business continuity plans, internal controls within our IT, Security and other departments, encryption of data, network security controls, access controls, physical security, asset management, system monitoring, vendor risk management program, employee cybersecurity awareness and training, phishing tests, and penetration testing. Cybersecurity awareness training is also made available annually to our Board of Directors.
In the event of a potential cybersecurity incident, or a series of related cybersecurity incidents, we have cybersecurity incident response frameworks in place at the corporate level and at Formula 1. These frameworks are a set of coordinated procedures and tasks that our incident response teams execute with the goal of ensuring timely and accurate identification, resolution and reporting of cybersecurity incidents both internally and externally, as necessary.
I-66
To operate our businesses, we utilize certain third-party service providers to perform a variety of operational functions. We have implemented a third-party risk management program to evaluate the cybersecurity practices of higher risk vendors and vendors that encounter our systems or data. We additionally engage and retain third-party consultants, legal advisors and assessors to keep us apprised of emerging third-party risk, defense and mitigation strategies, and governance best practices.
Impact of cybersecurity risks on business strategy, results of operations or financial condition
As of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition.
For additional information on our cybersecurity risks, see “The degradation, failure or misuse of the Company’s information systems could cause a disruption of services or improper loss, use and disclosure of personal data or other confidential information, resulting in increased costs, liabilities or loss of revenue." in Part I, Item 1A of this Annual Report on Form 10-K.
For additional information on Sirius XM Holdings’ cybersecurity program and risks refer to Item 1C in their 2023 Form 10-K, filed on February 1, 2024.
Governance
Role of the Board of Directors
Our Board of Directors has overall responsibility for risk oversight and has delegated to the Audit Committee primary enterprise risk oversight responsibility, including privacy and cybersecurity risk exposures, policies and practices, the steps management takes to detect, monitor and mitigate such risks and the potential impact of those exposures on our business, financial results, operations and reputation. The Audit Committee receives quarterly updates on the enterprise risk management program, including cybersecurity risks and the initiatives undertaken to identify, assess and mitigate such risks. This cybersecurity reporting may include threat and incident reporting, vulnerability detection reporting, risk mitigation metrics, systems and security operations updates, employee education initiatives, and internal audit observations, if applicable.
In addition to the efforts undertaken by the Audit Committee, the full Board of Directors regularly reviews matters relating to cybersecurity risk and cybersecurity risk management. Any material cybersecurity events would be brought to the attention of the full Board of Directors once the event is deemed material. We additionally use our incident response framework as part of the process we employ to keep our management and Board of Directors informed and to monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents.
Role of Management
We have established a cross functional Information Security Steering Committee (“ISSC”) with executives from our Legal, Accounting, Internal Audit and Risk Management, Cybersecurity and Facilities departments. The ISSC has management oversight responsibility for assessing and managing technology and operational risk, including information security, fraud, vendor, data protection and privacy, business continuity and resilience, and cybersecurity risks at the corporate level and our subsidiaries. The ISSC receives regular reports and updates from Sirius XM Holdings regarding their cybersecurity risk management activities and incidents that have occurred, if any.
At Formula 1, the Head of Information Security, together with the Director of IT, are responsible for day-to-day management and oversight of subsidiary cybersecurity, including assessing, monitoring and mitigating cybersecurity risk as well as regular reporting to Formula 1 executive management and the ISSC.
Liberty and Formula 1 have also established a Risk and Compliance Committee responsible for overseeing and monitoring all corporate compliance initiatives at Formula 1, including cybersecurity. The Risk and Compliance
I-67
Committee is composed of members of Liberty’s ISSC as well as members of Formula 1’s executive leadership team, including the Chief Financial Officer and General Counsel. The Head of Information Security provides quarterly updates to the Risk and Compliance Committee on cybersecurity risks and initiatives as well as any cybersecurity events, as applicable.
At Sirius XM Holdings, the Chief Information Security Officer, together with the Chief Product and Technology Officer and Chief Information Officer, are responsible for the day-to-day management of cybersecurity risks. Sirius XM Holdings has also established a Security Council, which includes the Chief Executive Officer, Chief Commercial Officer, Chief Product and Technology Officer, Chief Information Security Officer, Chief Information Officer, Chief Financial Officer, General Counsel and other senior officers, that meets on at least a quarterly basis to review cybersecurity and information security matters. The Security Council has primary management oversight responsibility for assessing and managing information security, fraud, vendor, data protection and privacy, and cybersecurity risks.
Our management team’s experience includes a diverse background in telecom, technology, media and other industries, with decades of experience in various aspects of cybersecurity. Liberty’s Head of Cybersecurity has more than 25 years of cybersecurity and IT experience and holds Certified Information Security Manager and Certified in Risk and Information System Control certifications. Formula 1’s Head of Information Security and Director of IT together have more than 30 years of experience and the Head of Information Security has multiple certifications, including Certified Cyber Professional and Senior Security & Risk Advisor. Sirius XM Holdings’ Chief Information Security Officer, Chief Product and Technology Officer and Chief Information Officer each have more than 20 years of professional experience in the information security area. All have worked at a variety of companies, including large publicly traded companies, implementing and managing IT and cybersecurity programs and teams, developing tools and processes to protect internal networks, business applications, customer facing applications and customer payment systems.