NEWS CORP 10-K Cybersecurity GRC - 2024-08-13

Page last updated on August 13, 2024

NEWS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-13 07:05:30 EDT.

Filings

10-K filed on 2024-08-13

NEWS CORP filed a 10-K at 2024-08-13 07:05:30 EDT
Accession Number: 0001564708-24-000408

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy As a high-profile global media and information services company with a wide array of digital products and services, the Company is subject to risks associated with cybersecurity threats. The Company has developed and implemented a cybersecurity program designed to manage these threats, including the assessment, identification and management of cybersecurity risks, and related protection, response, mitigation and recovery efforts. The program is overseen and monitored by a dedicated internal global cybersecurity organization, led by the Company’s Chief Information Security Officer (“CISO”), who reports directly to the Company’s Chief Technology Officer (“CTO”), and supported by designated cybersecurity risk leaders at the Company’s business units. The Company’s cybersecurity program is informed in part by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and leverages a defense-in-depth approach to managing cybersecurity risk . The governance, principles and framework for the program are set forth in the Company’s Global Cybersecurity Governance Principles Framework and are complemented by a set of global cybersecurity policies designed to promote secure cyber and data practices among Company personnel. T he Company reinforces a culture of secure behavior through annual cybersecurity and privacy awareness trainings, quarterly phishing exercises and regular delivery of other security awareness content via newsletters, departmental meetings and periodic campaigns, as well as specialized secure development training for product development teams. In addition, the Company employs various technical measures and processes to address the cybersecurity threats it faces, which may include reporting, monitoring and alert tools, multi-factor authentication, encryption, endpoint detection and response, email and cloud security tools, vulnerability scanning tools, threat intelligence monitoring and application resilience measures, as well as threat modeling, architecture design reviews and code reviews performed by its product security team. The Company maintains a cybersecurity incident response policy and plan, which in conjunction with the above measures, are designed to facilitate detection, analysis, containment, remediation and recovery from cybersecurity incidents and set forth processes to manage, escalate and, as appropriate, report such incidents based on their potential impact to the Company. The Company also undertakes disaster recovery and business continuity planning and maintains certain system redundancies to limit the impact of cybersecurity incidents and other disruptions, but there can be no assurance that these efforts will be successful. The Company conducts periodic testing and assessments of its cybersecurity program, both through internal security personnel and third-party firms. The Company engages consultants and other independent third parties to periodically perform internal and external penetration testing, security audits, incident response readiness exercises and assessments of the Company’s cybersecurity risk management practices, including a maturity assessment of the Company’s cybersecurity program based on the NIST Cybersecurity Framework approximately every two years. The Company may also consult with external legal counsel, third-party experts and other advisors in connection with incident response and recovery efforts and forensic investigations. The Company’s processes for i dentifying, assessing and managing cybersecurity risk are integrated into the Company’s overall risk management process. The Company’s internal audit group monitors the Company’s risk profile and conducts regular enterprise-wide integrated risk assessments, with input from corporate and business unit management and personnel, to identify and assist the Board of Directors and senior executives in managing key existing and emerging risks for the Company and its businesses, including cybersecurity risk. The risk assessment process culminates in semi-annual reports to the Audit Committee and the Board of Directors. In addition to its own systems and technology, t he Company relies on third-party service providers for certain software, technology and cloud-based systems and services that support a variety of critical business operations. The Company has policies and processes designed to identify, assess and manage cybersecurity risk relating to these third-party service providers. When contracting with these providers, t he procurement function works closely with the compliance, cybersecurity, privacy and legal teams to conduct diligence and help appropriately manage risk, including cybersecurity risk, throughout the life cycle of the contract. The Company and its business units have developed, and seek to incorporate, standard contractual security requirements into their service provider agreements. The Company also performs cybersecurity assessments of third-party service providers where it deems appropriate given the nature of the engagement and the data and systems expected to be accessed. Although the Company dedicates significant resources and efforts to protect against cybersecurity risks, the Company has experienced, and expects to continue to be subject to, cybersecurity threats. To date, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. However, the Company continues to face cybersecurity risks such as those described in “Item 1A. Risk Factors” in this Annual Report on Form 10-K, and there can be no assurance that cybersecurity threats or incidents will not have a material adverse effect on the Company in the future. While the Company maintains cyber risk insurance, such insurance may not be sufficient to cover all losses from cybersecurity incidents. Governance News Corp’s Board of Directors oversees the Company’s processes for identifying, assessing and managing significant risks facing the Company, and each of the Board’s standing committees assists the Board within the areas delegated to that committee. The Board of Directors has delegated to the Audit Committee primary responsibility for overseeing risks related to cybersecurity, including reviewing with management the Company’s major cyber-related risk exposures and the steps that have been taken to monitor and control such exposures. The Audit Committee generally receives reports at least quarterly from the CTO and CISO on the Company’s cybersecurity program covering various topics, including incident reporting, a review of the global cyber risk-map, updates on NIST maturity assessments, employee training and technology solutions and other practices designed to minimize the risks associated with cybersecurity threats, and updates the Board of Directors as appropriate. Management is responsible for identifying, assessing and managing material cybersecurity risks on a day-to-day basis. The Company’s Global Cybersecurity Steering Committee, comprised of the CTO, CISO and representatives from internal audit, legal, finance, privacy and human resources, is responsible for overseeing the Company’s cybersecurity controls and generally meets on a quarterly basis. The Company’s global cybersecurity organization, led by the CISO, is responsible for developing and implementing cybersecurity policies and procedures and identifying potential risks across the Company and works closely with dedicated cybersecurity personnel at the Company’s business units. The Company’s CTO has been in his senior leadership role since 2020. He has held similar positions prior to joining News Corp, has over 30 years of experience in various cybersecurity and information technology infrastructure and risk management roles and holds an advanced degree in information systems. The Company’s CISO has been in his senior leadership role since 2021 and has over two decades of industry experience in cybersecurity and other technology-related roles, including as the Director of Cyber and Telecom Policy in the White House, where he advised senior administration officials on cybersecurity, technology and telecommunications policy issues. As part of the Company’s cybersecurity program, described above, the CISO is informed about and monitors the Company’s prevention, detection, response, mitigation and remediation efforts related to cybersecurity threats through regular communication and reporting from the Company’s cybersecurity team. The CISO works closely with representatives from the Company’s legal group, including to oversee compliance with legal, regulatory and contractual security requirements. The CISO provides regular updates to the CTO and the Global Cybersecurity Steering Committee and to other members of executive management, as appropriate. The Company’s reporting framework also includes its incident response policy and plan and other policies and processes which set forth specific procedures for internal and external reporting in the event of a cybersecurity incident, including notification to the Audit Committee, or the Board of Directors, as appropriate.

Company Information