Sphere Entertainment Co. 10-K Cybersecurity GRC - 2024-08-14

Page last updated on August 14, 2024

Sphere Entertainment Co. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-14 07:21:26 EDT.

Filings

10-K filed on 2024-08-14

Sphere Entertainment Co. filed a 10-K at 2024-08-14 07:21:26 EDT
Accession Number: 0001795250-24-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity All companies utilizing technology are subject to the risk of breaches of or unauthorized access to their computer systems. The Company maintains a cyber risk management program designed to assess, identify and manage cybersecurity threats. The Company’s cyber risk management program has been integrated into our overall risk management program. The Audit Committee of our Board of Directors and our management are involved in the oversight of our risk management program, of which cybersecurity represents an important component. We have established policies and processes for assessing, identifying, and managing material risks from cybersecurity threats and incidents. Our policies and processes include, among other things: - regular system security testing; - a cybersecurity incident response policy (including the use of third-party vendors, as needed); - periodic and ongoing security awareness training for employees; - the use of several comprehensive vulnerability analysis systems to evaluate software vulnerabilities both internally and externally; and - mechanisms to detect and monitor unusual network activity. The Company also requires that all third-party vendors that have access to or handle sensitive information undergo a risk-based vendor security assessment. We also maintain controls and procedures that are designed to promptly escalate certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Audit Committee of our Board of Directors in a timely manner. There can be no guarantee that our policies and processes will be properly followed in every instance or that those policies and processes will be effective. Our cyber risk management program is based on recognized best practices and standards for cybersecurity and information technology and aims to identify and address cybersecurity risks through a comprehensive, cross-functional approach. The Company has established a cybersecurity leadership response team consisting of members of senior management, including the Chief Security Officer (“CSO”) of MSG Entertainment (who provides services to the Company), the Company’s Chief Financial Officer (“CFO”), and the Company’s General Counsel (“GC”), as well as a tactical incident response team comprised of employees from the threat management department. The CSO is primarily responsible for leading the tactical incident response team, including the implementation of defense capabilities and risk mitigation strategies, and communicating with senior management and the cybersecurity leadership response team. The CSO has over 20 years of security operations, information technology and cybersecurity experience. He has served as Executive Vice President and Chief Security Officer at MSG Entertainment since April 2023 and, prior to the MSGE Distribution, held senior roles at the Company, including serving as Executive Vice President and Chief Security Officer from 2021 to April 2023 and Senior Vice President and Chief Security Officer from 2020 to 2021, and served as MSG Sports’ Senior Vice President and Chief Security Officer from 2018 to 2020 prior to the 2020 Entertainment Distribution. He is supported by his direct reports and their teams. The cybersecurity leadership response team also includes other senior members from the legal, internal audit, communications and threat management departments. This leadership response team meets as needed to review various cybersecurity and data privacy matters as escalated by the tactical incident response team and receives periodic updates from the tactical incident response team on such matters. The tactical incident response team is responsible for maintaining processes to assess, identify and manage material risks from cybersecurity threats and has primary responsibility for executing the response to any cybersecurity incident. In addition, the CSO and/or the tactical incident response team have identified third party vendors that can assist as needed with responding to any cybersecurity incident and determine if members of the cybersecurity leadership response team or other employees or vendors should be involved in the Company’s response. Our Audit Committee is responsible for overseeing the Company’s risk management on behalf of our Board of Directors, which includes overseeing the Company’s management of its cybersecurity and data privacy. The CSO (or a senior member of his team) reports annually to the Audit Committee regarding the Company’s information security and cybersecurity risks. In addition, the Company’s CFO and GC communicate with the Company’s Audit Committee or its chair upon the occurrence of specified types of cybersecurity-related events, in accordance with the Company’s incident response policy. The GC, the CFO and the Vice President, Internal Audit & SOX also attend quarterly meetings of the Audit Committee to provide quarterly reports with updates on, among other things, cybersecurity risks facing the Company. The Audit Committee reports to the Board of Directors at least annually regarding its responsibilities and actions taken throughout the year, which includes any significant activities regarding its oversight of risks from cybersecurity threats. 40 Although we have not been materially impacted by any cybersecurity incident to date, we are subject to cybersecurity threats, as discussed in Item 1A. Risk Factors, including in the risk factor entitled " We Face Continually Evolving Cybersecurity and Other Technology-Related Risks, Which Could Result in Loss, Disclosure, Theft, Destruction or Misappropriation of, or Access to, Our Confidential Information and Cause Disruption of Our Business, Damage to Our Brands and Reputation, Legal Exposure and Financial Losses ."

Company Information