Graham Holdings Co - (GHC)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy.
The Company is a holding company and its business units are decentralized. Together with its business units, the Company maintains a risk-based information security program establishing administrative, technical, and physical safeguards that are designed for the size, scope and type of the Company’s businesses.
The information security program is designed to protect the confidentiality, integrity, and availability of the Company’s information systems and data, and safeguard information systems and data in accordance with applicable local, state, federal or international laws, regulations, or standards.
The Company’s information security program is risk-based; the Company and its business units perform business impact assessments and risk assessments on a regular basis to calibrate areas of focus. Cybersecurity risks are evaluated as a part of the broader risk management activities at the Company.
The Company and its business units leverage several information security controls frameworks, standards and best practices with the International Organization for Standardizations (ISO) 27001 used as the overarching framework. The ISO 27001 establishes a multi-pronged information security standard for organizations to manage information security risks, build cyber resilience, and improve operations.
Third-party service provider risk management is one of many components of the Company’s information security program. The Company and its business units use a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties that could adversely impact the Company. This approach may include, but is not limited to, reviewing and assessing providers’ cybersecurity maturity, conducting diligence on certain providers’ information security programs, and/or imposing contractual obligations on the provider depending on the type and quantity of data involved, the access provided to Company systems, the type of provider and the criticality of outsourced operations.
The Company maintains an incident response plan that is distributed to its business units for customization according to their specific operations and internal reporting structures. The Company leverages third-party cybersecurity experts to review the response plan and facilitate incident response exercises for its business units. The Company licenses third-party software that provides incident response simulation capabilities and playbooks and makes that available to its business units and also retains a third-party cybersecurity firm to provide assistance if needed during a cybersecurity incident.
The Company and its business units engage third parties to assess various aspects of the information security program, provide threat intelligence, perform external audits, perform penetration testing, and provide other services as needed.
The Company and its business units have not been materially affected by risks from cybersecurity threats, For a discussion of whether and how any risks from cybersecurity threats are reasonably likely to materially affect the Company, see Item 1A Risk Factors.
41


Governance.
The Board of Directors has delegated oversight of risks related to cybersecurity to the Audit Committee which reports on its risk management activities, including risks arising from cybersecurity threats, to the full Board. The Company’s Vice President of Information Security and Privacy reports to the Audit Committee on an annual basis. In addition, the Audit Committee receives quarterly updates as part of the disclosure control process and updates, as needed, for significant issues.
The annual report to the Audit Committee includes an overview of multiple topics, such as current cybersecurity threats; other cybersecurity risks, including operational, legal/regulatory, and reputational risks; a status summary of company-wide metrics relating to information security controls (e.g., controls addressing vulnerability and patch management, web and mobile application security, administrative access, incident response capability, compliance activities, disaster recovery, sensitive data inventory, and phishing prevention); and planned information security initiatives.
At the Company’s corporate level, the Information Security and Privacy team monitors the prevention, detection and remediation of cybersecurity incidents and coordinates with the Company’s business units to assess information security posture and risk. This coordination includes, for example, performing business impact assessments, conducting risk assessments, and testing and evaluating key aspects of business units’ information security programs, the results of which are reported to the Company’s senior management and the Audit Committee as appropriate.
The Company’s Information Security and Privacy team is led by the VP of Information Security and Privacy who reports to the Company’s Chief Financial Officer. She joined the Company in 2003 and has more than 30 years of relevant experience. Before joining the Company, she served as the federal government and southeast region leader of Guardent (now part of Verisign), a security and privacy consulting and managed security services company. Prior to Guardent, she worked at PricewaterhouseCoopers LLP in the Technology Risk Services consulting practice. She is a strategic advisor to several organizations in the information security and privacy field and is a Certified Information Systems Security Professional (CISSP), and a Certified Information Privacy Professional (CIPP).
Members of the Company’s Information Security and Privacy team have an average of more than 20 years of information security and compliance experience, spanning diverse environments and industries, government agencies, and public and private companies. All members of the core team maintain cybersecurity certifications and attend regular training programs relating to information security, privacy and compliance.
The Company views information security as a shared responsibility. It requires employees to complete information security and privacy awareness training and sends out regular communications on information security and privacy topics. Developers are trained regularly on secure coding practices and the Company mandates that every business unit perform phishing exercises quarterly. Some employees receive additional in-depth training related to their individual job responsibilities.