Arena Group Holdings, Inc. - (AREN)
10-K Filing Date: April 01, 2024
As a tech-powered media company, we face cybersecurity threats, such as ransomware and denial-of-service, and attacks on technical infrastructure. Our customers and suppliers face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations.
We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program addresses cybersecurity risks to the corporate information technology (“IT”) environment including systems, hardware, software, data, people, and processes.
The Audit Committee of the Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks. Our VP of Information Security regularly briefs senior leadership on our cybersecurity and information security posture including on the prevention, detection, mitigation, and remediation of cybersecurity incidents, and senior leadership will then brief the Audit Committee. In the event of an incident, we intend to follow our incident response playbook, which outlines our planned response from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate.
Our security team is responsible for our overall information security strategy, including policy, security engineering, operations and cyber threat detection and response. Our security team has extensive experience selecting, deploying, and overseeing cybersecurity technologies, initiatives, and processes. Employees outside of our security team also have a role in our cybersecurity defenses, and they are given training which we believe improves our cybersecurity.
24 |
Third parties also play a role in our cybersecurity risk management strategy. We engage third parties to conduct risk assessments and evaluations of our security controls. Such risk assessment and evaluations identify, quantify, and categorize any cyber risks. In addition, we, along with third party cyber risk management specialists, develops a risk mitigation plan to address such risks, and where necessary, remediate potential vulnerabilities identified through the assessment and evaluation process. Third party cybersecurity risk management engagement also includes activities such as penetration testing, independent audits or consulting on best practices to address new challenges. We include security and privacy addendums to our contracts where applicable. We have also commenced third party risk management assessments to help manage the risks associated with reliance on vendors, critical service providers, and other third-parties that may lead to a service disruption or an adverse cybersecurity incident.
Our VP of Information Security and cybersecurity stakeholders regularly brief the senior leadership team on cyber vulnerabilities identified through the risk management process, the effectiveness of our cyber risk management program, the emerging threat landscape, and new cyber risks on at least an annual basis. This includes updates on our processes to prevent, detect, and mitigate cybersecurity incidents.
Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our operations, business strategy, regulatory compliance, results of operations, or financial condition. The Company proactively seeks to detect and investigate unauthorized attempts and attacks against Company IT assets, data, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to internal processes and tools and changes or updates to Company service delivery; however, potential vulnerabilities to known or unknown threats will still remain. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.