Warner Music Group Corp. 10-K Cybersecurity GRC - 2024-11-21

Page last updated on November 21, 2024

Warner Music Group Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-21 07:35:56 EST.

Filings

10-K filed on 2024-11-21

Warner Music Group Corp. filed a 10-K at 2024-11-21 07:35:56 EST
Accession Number: 0001319161-24-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and reputational risks. We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such risks, including regular network and endpoint monitoring, access controls, vulnerability assessments, penetration testing, annual information security training for employees, and tabletop exercises to inform our professionals’ risk identification and assessment. We have an Incident Response Plan which guides the actions we are to take in the event of a suspected or confirmed cybersecurity incident. The plan includes processes to triage, investigate, contain, and remediate the incident, and is designed to enable us to comply with applicable legal and regulatory obligations and mitigate financial and reputational damage. We also maintain a Business Resumption Plan (for critical tools and applications), which provides procedures for maintaining the continuity of critical business processes in the event of business interruption, including any interruption that involves cybersecurity incidents which may significantly impact our operations. Our cybersecurity risk management processes incorporate appropriate industry standards and are designed using the frameworks developed by National Institute of Standards and Technology (“NIST”). We review our cybersecurity technology stack and budget allocation by risk and review against the cyber threat landscape to ensure we are spending the right dollars to reduce the highest risk at that time. Our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk professionals collaborate with our Chief Information Security Officer (“CISO”), Chief Privacy Officer, Cyber team, Legal team, Physical Security team, and Content Management team, to gather insights for identifying and assessing cybersecurity threats, their severity, and potential mitigations. We conduct monthly Cyber Risk Committee meetings with the participation of these teams to review risks in each of those functions and any cross-functional risks. As part of the above processes, we at least annually engage with assessors, consultants, and other third-parties, including by having an independent Qualified Security Assessor review our cybersecurity program quarterly to help identify areas for continued focus and enhancements regarding Payment Card Industry compliance. These third parties conduct penetration tests and scanning exercises to assess the performance of our cybersecurity controls, systems and processes and overall maturity by NIST categorization. As part of the assessment, they also conduct interviews with key personnel and review key controls. In addition, annually we review our cyber insurance premiums which includes a maturity assessment and the premiums are determined based on the Company’s cybersecurity maturity assessment score . Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program as well as our cybersecurity risk identification program, both of which are discussed above and provided for in our Third-Party Cyber Risk Policy. The Third-Party Cyber Risk Policy sets guidelines for identifying, measuring, monitoring, and reporting the risk associated with third parties relationships, which includes planning, due diligence and third party selection, contracting, ongoing monitoring, and termination. Cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our systems, data or facilities that house such systems or data, and monitor cybersecurity threats identified through such diligence. During the period covered by this Annual Report, we have not experienced any cybersecurity incidents which have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, institutions like us, as well as our employees, artists, service providers and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of increasingly sophisticated cyber attacks. See “Risk Factors - If we or our service providers do not maintain the security of information relating to our customers, employees and vendors and our music, security information breaches through cyber security attacks or otherwise could damage our reputation with customers, employees, vendors and artists, and we could incur substantial additional costs, become subject to litigation and our results of operations and financial condition could be adversely affected. Moreover, even if we or our service providers maintain such security, such breaches remain a possibility due to the fact that no data security system is immune from attacks or other incidents.” 39 Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of increasing focus for our board of directors and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the Audit Committee receives an overview of our cybersecurity threat risk management and strategy processes from our CISO. These sessions typically cover topics such as data security posture, results from third-party assessments, progress towards risk-mitigation-related goals, our incident response plan, and material short-, medium- and long-term risks from cybersecurity threats, incidents and developments, as well as the steps management has taken to respond to such risks. Cybersecurity threats are also considered during meetings of our board of directors through discussions of enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management and other relevant matters. Our cybersecurity risk management and strategy processes are led by our CISO and the Cyber Risk Committee. Our CISO has over 25 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and controls, as well as relevant certifications, including Certified Industry Systems Security Professional. Our CISO has worked in highly regulated environments for over 20 years and has built strong relations with cybersecurity authorities including the Federal Bureau of Investigation, the Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency to aid with investigative and intelligence objectives. The Cyber team has an average of over 10 years of cyber-related experience with several senior team members each having over 20 years of cyber experience. Several were also a Chief Information Security Officer or Head of Cybersecurity for their respective former organizations. Other key members of the Cyber team each have over 20 years of relevant experience in Compliance, Audit, Legal, and Data Privacy. Cyber team members participate in industry forums to collaborate and keep current on emerging risks and new technologies. We also strive to maintain key relationships with relevant government agencies for the purpose of collaborating on matters of cybersecurity. Through the cybersecurity risk management and strategy processes described above, Cyber Risk Committee members remain informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents. Members participate in the management and operation of our Incident Response Plan, have oversight of our internal information technology departments that report to Cyber Risk Committee meetings, and oversee the implementation, review and revision of the policies underlying our cybersecurity program. Cyber-related incidents, including non-material incidents, typically have a post-mortem exercise completed to review lessons learned and adjust any policies and processes as needed.

Company Information