E.W. SCRIPPS Co - (SSP)

10-K Filing Date: February 23, 2024
Item 1C.Cybersecurity
Protecting our systems and data from cyberthreats is important for ensuring the continuity of operations and maintaining the trust of our customers and stakeholders. Scripps is committed to respecting the privacy of the personal data in its care and complying with applicable privacy-related regulations.

To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected our business, our business strategy, our results of operations or financial condition. For further information, see “We will continue to face cybersecurity and similar risks, which could result in the disclosure of confidential information, disruption of operations, damage to our brands and reputation, legal exposure and financial losses” in Item 1A, Risk Factors of this Annual Report. In the event an attack or other intrusion were to be successful, we have a trained response team of internal and external resources that are prepared to respond.

Cybersecurity Program

Scripps is committed to having a strong cybersecurity program and employs a chief information security officer ("CISO") to oversee the cybersecurity leadership team. The team manages governance, risk and compliance, security operations, and identity and access management. Scripps routinely identifies and considers potential improvements to its cybersecurity program based on the threat landscape. Improvements may include adjustments to staffing or processes or the acquisition of new technology. When such potential improvements are identified, the Company weighs the costs and benefits of such improvements (including against other potential improvements) and, if selected, the improvements are added to a roadmap for possible implementation.

Scripps has implemented certain physical, administrative and technical controls to help secure its enterprise environment and products. Cybersecurity controls include, but are not limited to, the following measures:

Enforce controls that limit access based on job responsibilities and enforcing authentication measures, including strong password policies and multifactor authentication where appropriate.

Conduct exercises to ensure the company is prepared to respond to cyber incidents.

Align the cybersecurity program with NIST cybersecurity framework.

Scan our systems for vulnerabilities that may potentially impact our enterprise or products, categorize them based on severity and where possible, proactively address them to prevent exploitation by threat actors.

Employ a trained incident response team and a managed security service provider to identify and mitigate incidents that bypass our cybersecurity controls to minimize impact to operations.

Incident Response Plan

The Integrated Incident Response Program is reviewed at least annually to ensure alignment with any changes in notification laws, company structure and operations, service providers and the risk landscape. Most recently, we updated the Cyber Incident Response Plan to include materiality assessments in accordance with the new U.S. Securities and Exchange Commission ("SEC") cybersecurity rules. Tabletop exercises are conducted to assess readiness for plan execution.
22



Any actual or suspected security incident is reported to the CISO. Cybersecurity incidents are evaluated under the Integrated Incident Response Program and flow to the Enterprise Response Team according to clearly defined escalation criteria.

Oversight

Cybersecurity is a key risk included in risk management discussions on the Governance, Risk and Compliance committee that meets quarterly before board meetings. The Board of Directors oversees cybersecurity and technology risks through the Audit Committee, which receives quarterly updates from the CISO. Intermittent updates are provided to the full Board for educational purposes or when special needs arise.

Our chief privacy officer oversees an enterprise wide privacy program that includes annual training; a “privacy by design” ethos within development teams; privacy-specific contract reviews; and an enterprise wide privacy platform to manage rights, requests and consent management.

Privacy

We understand the importance of protecting data. Our Privacy Policy defines “personal data” and, among other things, explains its coverage, how personal data is collected and stored, and a user’s rights to restrict its usage or opt out. Our privacy policies are updated annually and are conspicuously displayed on all applicable digital properties. For more information, please see the Privacy Policy on our website.

Employee Training Programs

We launch separate, annual web-based learning modules on cybersecurity, privacy, and various security topics such as phishing, password hygiene and data governance to all employees. The annual security awareness training is reinforced through regular phishing simulations across the enterprise to provide employees with practical exposure to phishing campaigns. Employees who fail phishing simulations must complete additional training.

© 2024 Material-Incidents. All rights reserved.