Clear Channel Outdoor Holdings, Inc. - (CCO)

10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Company maintains a robust cybersecurity program that promotes confidentiality, integrity and availability of our corporate and customer resources throughout the life cycle of our out-of-home service offerings. Under the oversight of the Audit Committee of our Board of Directors, as more fully explained below, and with the support of the Company’s compliance function and the Company’s internal and external audit functions, the Company operates an enterprise-wide risk management governance framework that sets standards and provides guidance for the identification, assessment, monitoring and control of the most significant risks facing the Company, including cybersecurity. Our enterprise risk management process is guided by the COSO Enterprise Risk Management Framework three lines of defense model, and we further utilize our global Compliance department, legal teams, cybersecurity teams and privacy teams as part of our overall cybersecurity program.
Our cybersecurity program includes comprehensive technology and risk oversight programs designed to ensure that our technology systems and cybersecurity education programs are effective and that we are prepared to report and manage information security risks. Developed using collaboration and transparency principles, we maintain a suite of information and cybersecurity policies, standards and guides based on commonly adopted cybersecurity standards, frameworks and regulatory requirements, including ISO 27001 and publications from the National Institute of Standards and Technology and the Center for Information Security. Furthermore, we perform periodic evaluations of our security programs, information technology infrastructure and information security management systems through internal self-assessments and external independent consultations. In addition, we conduct regular security monitoring for internal and external threats to the confidentiality and integrity of our information assets, and our cybersecurity programs undergo periodic testing with the purpose of achieving swift and orderly restoration of business operations in the event of a cybersecurity incident. Cyber hygiene is integrated into our culture from employee onboarding and lasts throughout the employee life cycle, using various tools, such as frequent information security awareness messages and annual cybersecurity awareness training. As part of testing our programs, we regularly conduct internal simulated phishing campaigns. The Company also maintains comprehensive cyber insurance. However, such insurance may not be sufficient to cover all of our potential losses and may not continue to be available to us on acceptable terms, or at all.
Communication of our cybersecurity values and expectations is extended to our third-party solutions through specific programs, which include monitoring and rating services and open-source intelligence risk assessments. In addition to conducting posture and intelligence reviews of our vendors, our cybersecurity teams conduct evaluations of critical vendors to assess security requirements, and we assess our service level agreements so that cyber controls and practices to the levels set out in our cybersecurity standards are embedded within.
30

We have experienced, and may in the future experience, whether directly or through our supply chain partners, cybersecurity incidents. While prior cybersecurity incidents have not had a material impact on the Company, future cybersecurity incidents, including breaches, could have a material impact on our business, operations and reputation. For additional information about the Company’s cybersecurity risks, please refer to “Technology Risks” in Item 1A, Risk Factors.
Governance
Our Board of Directors has delegated oversight of risks related to cybersecurity to the Audit Committee. The Audit Committee is, therefore, charged with reviewing our cybersecurity processes for assessing key strategic, operational and compliance risks. Our Corporate Compliance Officer briefs the Audit Committee on cybersecurity risks at each of its meetings, which occur at least four times each year. These briefings include an assessment of cyber risks, an overview of the cyberthreat landscape, updates on cybersecurity incidents and reports on our investments in cybersecurity risk mitigation strategies and technologies and related corporate governance. In addition, our domestic and European chief technology officers brief the Audit Committee on cybersecurity risks at least annually. The Audit Committee then provides updates on significant cybersecurity matters to the Board periodically.
Regional heads of cybersecurity and chief technology officers oversee their respective cybersecurity programs, including regional Cybersecurity Steering Committees (each, a “CSSC”), which are comprised of senior executives and extended leadership, and which provide oversight of cybersecurity investments by monitoring, evaluating, approving and supporting actions related to cybersecurity risk, incident management, investment and prioritization of projects and services.
Each CSSC meets quarterly and reports to the Company’s senior management team, including the Corporate Compliance Officer, on progress towards specific cybersecurity objectives. A strong partnership exists between our information technology, enterprise security, internal audit and legal and compliance functions so that identified issues are addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required.
Our Corporate Compliance Officer is Karis McLarty. Ms. McLarty is an international privacy, economic crime and corporate human rights lawyer. Ms. McLarty has 20 years of experience specializing in U.S. and cross-border protection of large companies. Her areas of responsibility cover privacy, cyber risk and data protection; COSO, COBIT and ISO governance; forensic investigations, including regarding privacy and cyber issues; and regulator reporting, economic crime, antitrust and sustainability. Ms. McLarty holds the CIPP/E certification in European Data Protection and two Master’s degrees in Jurisprudence and Forensic Psychology (MA Oxon, MSc).
Our domestic Chief Technology Officer, Christian Aaselund, oversees the integration and security of the Company’s digital products, infrastructure and all user-facing technology. Mr. Aaselund has over two decades of experience in technology leadership. His career reflects a broad spectrum of expertise, from spearheading tech solutions in startups to executing strategic initiatives in large enterprises.
Our domestic cybersecurity program is overseen by our Head of Cybersecurity, Louie Garcia. Mr. Garcia has over 18 years of cybersecurity experience, spanning threat perspectives, cyber exercise development and training, enterprise vulnerability assessments, defensive and offensive network solutions and operational evaluation of cyber products.
Our European Chief Technology/Information Officer and our European Head of Information Security each have approximately 25 years’ experience in the technology industry, with our Head of Information Security having focused for the last 10 years solely on the Information Security and Cybersecurity domains.
Our Head of Information Technology for Latin America, who oversees Cybersecurity, has 25 years of experience in strategic IT leadership and global project management.

31