Warner Bros. Discovery, Inc. - (WBD)

10-K Filing Date: February 23, 2024
ITEM 1C. Cybersecurity.
We have a cybersecurity program to assess and manage risks to the confidentiality, integrity, and availability of our data, networks and technology assets across WBD. Our Chief Information Security Officer (“CISO”) is responsible for cybersecurity risk oversight and oversees a global organization whose responsibilities include proactively managing and monitoring information and content security, cybersecurity risk, and processes to enable secure and resilient access to, and use of, WBD products and services. Since the closing of the Merger in 2022, we have continued to strengthen and enhance our cybersecurity program and integrate it into our overall risk management processes.
Risk Management and Strategy
We have a cybersecurity risk management strategy for safeguarding our digital assets that includes both technical and non-technical cybersecurity controls. Our multi-layered technical defense involves a series of protective measures across various levels of our technology environment. This includes fortifying our network perimeter through intrusion detection and prevention systems, securing individual devices with antivirus solutions and endpoint detection, implementing network security measures, and ensuring the resilience of applications. In addition to these technical security solutions, we also leverage non-technical methods, such as promoting a cybersecurity-conscious culture throughout WBD which includes mandatory annual cybersecurity training for all employees, a regular cadence of cybersecurity messaging to our employees, and frequent phishing simulations. Further, we engage independent third parties to conduct annual internal and external penetration testing and independent assessments of our cybersecurity risk management practices using the National Institute of Standards and Technology’s cybersecurity framework and other leading industry practices as guidelines. We also engage an independent third party to conduct a biennial cybersecurity maturity assessment to evaluate the maturity of our entire cybersecurity program.
We also invest in cybersecurity incident detection and response. Our Cybersecurity Operations Center provides continuous threat monitoring and anomaly detection that is intended to prevent or minimize damage from a cybersecurity attack. We have a Cybersecurity Incident Response Plan that establishes procedures, roles, responsibilities, and communication protocols for WBD executive management and technical staff in the event of a cybersecurity incident. We test the efficacy of the Cybersecurity Incident Response Plan and assess our response capabilities by conducting annual tabletop exercises that simulate cybersecurity threat scenarios.
We have ongoing processes to identify and assess cybersecurity risks associated with current and prospective third-party service providers. These processes include a vendor cybersecurity compliance assessment at the time of onboarding, contract renewal and/or as needed in the event of a cybersecurity incident affecting such third-party vendor. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and notify us in the event of a cybersecurity incident that impacts us.
We have established cybersecurity information sharing and collaboration practices with both government agencies and industry partners, which we believe enhances our overall cybersecurity resilience.
Governance
We have established a cybersecurity governance structure to engage appropriate stakeholders. Our CISO is informed about and monitors our prevention, detection, mitigation and remediation efforts related to cyber threats through regular communication and reporting from our information security team. Our Chief Financial Officer, our Chief Legal Officer, our Chief Audit and Risk Officer and our Chief Information Officer also have input and involvement in our cybersecurity program. Our Board of Directors has an active role, as a whole and at the committee level, in overseeing the Company’s overall risk management, including cybersecurity risks. Our Board of Directors has delegated responsibility for cybersecurity and information technology risks to our Audit Committee and is regularly informed about such risks through committee reports and other presentations. Our Audit Committee regularly reviews and discusses our cybersecurity risks and is updated by our CISO on how we identify, assess and mitigate those risks. Our Audit Committee receives quarterly updates from our CISO on our cybersecurity risk posture, the status of projects to strengthen and enhance our cybersecurity program, the evolving threat landscape, and cybersecurity incident reports and learnings. The Audit Committee also periodically devotes additional meeting time, as needed, to in-depth discussions on a particularly relevant cybersecurity topic or to education on developments in the realm of cybersecurity. In addition to the quarterly incident reports, cybersecurity incidents meeting pre-determined criteria are reported to the Audit Committee outside of regularly scheduled quarterly updates and to WBD executive management as needed. See Item 1A, “Risk Factors” for details on the risks from cybersecurity threats that we face.
27


Our CISO has over 30 years of expertise in global digital and information security, cybersecurity risk management, data privacy and compliance across diverse industries including media and entertainment, biotechnology, pharmaceuticals, financial services, and government defense sectors and holds multiple industry-recognized certifications including, among others, a Certificate of Cybersecurity Oversight from the National Association of Corporate Directors and a Certified Information Systems Security Professional certification.