Madison Square Garden Sports Corp. - (MSGS)
10-K Filing Date: August 13, 2024
Item 1C. Cybersecurity
All companies utilizing technology are subject to the risk of breaches of or unauthorized access to their computer systems. The Company maintains a cyber risk management program designed to assess, identify and manage cybersecurity threats. The Company’s cyber risk management program has been integrated into our overall risk management program. The Audit Committee of our Board of Directors and our management are involved in the oversight of our risk management program, of which cybersecurity represents an important component. We have established policies and processes for assessing, identifying, and managing material risks from cybersecurity threats and incidents. Our policies and processes include, among other things:
•regular system security testing;
•a cybersecurity incident response policy (including the use of third-party vendors, as needed);
•periodic and ongoing security awareness training for employees;
•the use of several comprehensive vulnerability analysis systems to evaluate software vulnerabilities both internally and externally; and
•mechanisms to detect and monitor unusual network activity.
The Company also requires that all third-party vendors that have access to or handle sensitive information undergo a risk-based vendor security assessment. We also maintain controls and procedures that are designed to promptly escalate certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Audit Committee of our Board of Directors in a timely manner. There can be no guarantee that our policies and processes will be properly followed in every instance or that those policies and processes will be effective.
Our cyber risk management program is based on recognized best practices and standards for cybersecurity and information technology and aims to identify and address cybersecurity risks through a comprehensive, cross-functional approach. The Company has established a cybersecurity leadership response team consisting of members of senior management, including the Chief Security Officer (“CSO”) of MSG Entertainment (who provides services to the Company), the Company’s Chief Financial Officer and Treasurer (“CFO”), and the head of the Company’s legal department (“Head of Legal”), as well as a tactical incident response team comprised of employees from the threat management department.
The CSO is primarily responsible for leading the tactical incident response team, including the implementation of defense capabilities and risk mitigation strategies, and communicating with senior management and the cybersecurity leadership response team. The CSO has over 20 years of security operations, information technology and cybersecurity experience. He has served as Executive Vice President and Chief Security Officer at MSG Entertainment since April 2023 and, prior to the MSGE Distribution, held senior roles at Sphere Entertainment, including serving as Executive Vice President and Chief Security Officer from 2021 to April 2023 and Senior Vice President and Chief Security Officer from 2020 to 2021, and served as the Company’s Senior Vice President and Chief Security Officer from 2018 to 2020 prior to the Sphere Distribution. He is supported by his direct reports and their teams.
The cybersecurity leadership response team also includes other senior members from the legal, internal audit, communications and threat management departments. This leadership response team meets as needed to review various cybersecurity and data privacy matters as escalated by the tactical incident response team and receives periodic updates from the tactical incident response team on such matters. The tactical incident response team is responsible for maintaining processes to assess, identify and manage material risks from cybersecurity threats and has primary responsibility for executing the response to any cybersecurity incident. In addition, the CSO and/or the tactical incident response team have identified third party vendors that can assist as needed with responding to any cybersecurity incident and determines if members of the cybersecurity leadership response team or other employees or vendors should be involved in the Company’s response.
Our Audit Committee is responsible for overseeing the Company’s risk management on behalf of our Board of Directors, which includes overseeing the Company’s management of its cybersecurity and data privacy. The CSO (or a senior member of his team) reports annually to the Audit Committee regarding the Company’s information security and cybersecurity risks. In addition, the Company’s CFO and Head of Legal communicate with the Company’s Audit Committee or its chair upon the occurrence of specified types of cybersecurity-related events, in accordance with the Company’s incident response policy. The Head of Legal, the CFO and the Vice President, Internal Audit & SOX of MSG Entertainment (who provides services to the Company) also attend quarterly meetings of the Audit Committee to provide quarterly reports with updates on, among other things, cybersecurity risks facing the Company. The Audit Committee reports to the Board of Directors at least annually regarding its responsibilities and actions taken throughout the year, which includes any significant activities regarding its oversight of risks from cybersecurity threats.
We have in the past experienced, and may experience again in the future, material cybersecurity incidents that may have an adverse effect on our business strategy, results of operations or financial condition by subjecting us to, among other things, reputational harm, legal or regulatory action and/or financial losses. For example, in November 2016, a payment card issue that affected cards used at merchandise and food and beverage locations at several of MSG Entertainment’s venues, including The Garden, was identified and addressed with the assistance of security firms. Although the issue was promptly fixed and enhanced security measures were implemented, we continue to face cybersecurity threats, as discussed in Item 1A. Risk Factors, including in the risk factor entitled “We Face Continually Evolving Cybersecurity and Other Technology-Related Risks, Which Could Result in Loss, Disclosure, Theft, Destruction or Misappropriation of, or Access to, Our Confidential Information and Cause Disruption to Our Business, Damage to Our Brands and Reputation, Legal Exposure and Financial Losses.”