NEW YORK TIMES CO - (NYT)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Trust underpins our mission and values and we believe that cybersecurity is important to our success. We are susceptible to a number of cybersecurity threats, including those common to most industries as well as those we face as a global media organization whose systems store and process subscriber, user, employee and other personal and Company data. We, and third parties with which we work and on which we rely, regularly face attempts by malicious actors to breach our security and compromise our information technology systems, and a cybersecurity incident impacting us or any such third party could harm our reputation; require us to expend resources to respond to and recover from such a security incident or defend against further attacks; divert management’s attention; subject us to liability; or otherwise adversely affect our business. Because of these risks, we take cybersecurity seriously.
Under the oversight of our Board of Directors, and the Audit Committee of the Board, we have developed and maintain an information security program that includes technical, administrative and physical measures designed to safeguard our information and information systems. Cybersecurity risk management is integrated into our broader risk management framework. Our approach includes elements that are proactive and adaptive, using security assessments, employee training and continuous improvement of our cybersecurity infrastructure. We work to align our practices with industry and regulatory standards. Our information security program includes response procedures to be followed in the event of a cybersecurity incident that outline steps to be followed from detection to assessment to notification and recovery, including internal notifications to management, the Audit Committee and the Board, as appropriate. Business continuity and disaster recovery plans are used to prepare for the potential for a disruption to systems or processes we rely on.
Our Board of Directors recognizes the importance of managing risks associated with cybersecurity threats and provides oversight of the Company’s information security program. Risk is an integral part of the Board’s deliberations throughout the year and the Board exercises its oversight responsibility both directly and through its committees. In particular, the Audit Committee oversees risks relating to information security, including cybersecurity risks. Members of management, including the Company’s Chief Information Security Officer (“CISO”), provide the Audit Committee with updates on cybersecurity and information technology matters at least twice a year, and the Audit Committee and management also provide updates to the Board. In addition to reporting to the Audit Committee and Board, the CISO provides periodic reports to our Chief Executive Officer and other members of our senior management as appropriate. The Audit Committee, or the Board, is notified by the CISO of cybersecurity incidents, as appropriate, in accordance with the Company’s incident response processes.
The Board’s risk oversight is enabled by an enterprise risk management program designed to identify, prioritize and assess a broad range of risks, including risks related to cybersecurity, that may affect the Company’s ability to execute its corporate strategy and fulfill its business objectives, and to formulate plans to mitigate their effects.
Our cybersecurity department, led by our CISO, has primary responsibility for our enterprise-wide information security program and our risk management team works closely with our cybersecurity department to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs on an ongoing basis. Our current CISO has been in that position since October 2022 and has broad information technology experience as a result of that role and past work experience. Our CISO manages a team with broad cybersecurity experience, including in cybersecurity threat management, cybersecurity training and education, incident response, cyber forensics, insider threats, business continuity and disaster recovery, and regulatory compliance. The cybersecurity department receives support to maintain the information security program from other functions, such as information technology, corporate security, internal audit and legal. Our CISO is informed about and monitors prevention, detection, mitigation and remediation efforts through regular communication and reporting from the internal team. We also engage and rely on third parties to support our information security program, such as assessors, consultants, contractors, auditors and other third-party service providers. In addition, we maintain policies and processes to assess and manage risks relating to third-party service providers, based on the nature of the engagement with the third party and based on the information and information systems to which the third party will have access. We maintain policies to conduct due diligence before onboarding new service providers and maintain ongoing evaluations to ensure compliance with our security standards.
THE NEW YORK TIMES COMPANY – P. 25
As of the date of this report, no cybersecurity incidents have had a material adverse effect on our business, financial condition or results of operations. Notwithstanding our ongoing investments in our cybersecurity program, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cyber risk insurance, the costs relating to certain kinds of security incidents could be substantial, and our insurance may not be sufficient to cover all losses related to any future incidents involving our data or systems.
See Item 1A. “Risk Factors — Risks Related to our Data Platform, Information Systems and Other Technology — Security incidents and other network and information systems disruptions could affect our ability to conduct our business effectively and damage our reputation” and “— Failure to comply with laws and regulations with respect to privacy, data protection and consumer marketing and subscriptions practices could adversely affect our business” for a discussion of cybersecurity risks that may impact us.