CUMULUS MEDIA INC - (CMLS)

10-K Filing Date: February 27, 2024
Item 1C.Cybersecurity

Risk Management and Strategy
The Company has an integrated, cross-organizational risk management approach. As part of our overall risk management processes, we assess, identify and manage material risks from cybersecurity threats through our cybersecurity risk management program which leverages the National Institute of Standards and Technology (NIST) framework, organizing
22

cybersecurity risks into five categories: identify, protect, detect, respond and recover. However, this should not be interpreted to mean that we meet any particular technical standards, specifications, or requirements, only that we leveraged the NIST framework as a guide in the creation of our cybersecurity risk management program. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Our Chief Technology Officer and security team, led by the SVP of Information Technology and Security, (collectively, the "Cumulus Security Team") monitor cybersecurity incidents using a variety of security information and event management tools. Alerts from those tools are monitored 24/7 and addressed accordingly. The type of incident identified and severity level determine how issues are escalated and who is engaged for resolution. If a cybersecurity incident or aggregated series of incidents is deemed material, the incident is communicated to various members of the Company's leadership team and the Board of Directors. Disaster recovery plans are documented for key systems and would be followed in the event a security incident occurs.
The Company’s cybersecurity risk management program includes ongoing monitoring and testing of its information systems and data to identify and respond to potential cybersecurity threats. Internally, the Company utilizes various incident event management tools to monitor unauthorized account access, data exfilitration and server and network security. Multi-factor authentication and complex password requirements are enabled on all key systems and privileged account holders have separate administrative accounts. The Company engages consultants from time to time with expertise in network vulnerabilities to perform periodic network penetration testing.
The Company’s cyber risk management program also includes regular security awareness training to educate employees and new hires on the Company’s cybersecurity policies, standards and practices. This training is supplemented by Company-wide testing initiatives, including periodic phishing tests. The Company provides specialized security training for certain employee roles such as application developers and privileged account holders.
In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. The Company utilizes an external risk management tool to assist with oversight and monitoring of third-party cybersecurity risk. Each third-party service provider is vetted, evaluated and scored based on its cybersecurity methodology. For many vendors of third-party hosted applications, we request copies of standard security reports or assessments, such as System and Organization Controls ("SOC") reports to support our assessment of our vendors’ security practices. If a third-party vendor was not able to provide the requested reports, we would take additional steps to assess their cybersecurity preparedness. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework.
We have experienced targeted cybersecurity threats and incidents in the past that have resulted in unauthorized persons gaining access to certain of our information systems, and we could in the future experience similar incidents. To date, no cybersecurity incident, or any risk from cybersecurity threats, has materially affected or has been determined to be reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. For additional information regarding the risks from cybersecurity threats we face, see the section captioned "Operating Risks – Disruptions or security breaches of our information technology infrastructure could interfere with our operations, compromise client information and expose us to liability, possibly causing our business and reputation to suffer" within Part I, Item 1A "Risk Factors".

Governance
Our Board of Directors (our "Board") is responsible for risk oversight, and may delegate specific areas of oversight to committees of the Board, which report to the full Board. The Audit Committee of the Board in turn is specifically charged with reviewing cybersecurity risk management and the steps management takes to monitor, control and mitigate such risks. In connection with such review, the Audit Committee receives quarterly reports from the Chief Technology Officer on, among other things, the Company’s cybersecurity risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. In addition to the quarterly reports, the Audit Committee performs an annual review of the Company’s cybersecurity program. The annual review consists of a summary of all systems, processes and staffing in place to mitigate a cybersecurity incident using the NIST framework as a guideline.
Our Chief Technology Officer manages and monitors the Company’s cybersecurity risk and has over 40 years of experience in the technology field. The Cumulus Security Team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes.
23

© 2024 Material-Incidents. All rights reserved.