LEE ENTERPRISES, Inc 10-K Cybersecurity GRC - 2024-12-13

Page last updated on December 13, 2024

LEE ENTERPRISES, Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-13 14:57:06 EST.

Filings

10-K filed on 2024-12-13

LEE ENTERPRISES, Inc filed a 10-K at 2024-12-13 14:57:06 EST
Accession Number: 0001628280-24-051167

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY (a) Definitions (extracted from 17 CFR 229.106) The Company has adopted the definitions present in 17 CFR 229.106 for the following cybersecurity terms: - Cybersecurity Incident : An unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through information systems that jeopardizes the confidentiality, integrity, or availability of information systems or any information residing therein. - Cybersecurity Threat: A cybersecurity threat as any potential unauthorized occurrence on or conducted through its information systems that may adversely affect the confidentiality, integrity, or availability of information systems or any information residing therein. - Information Systems : Electronic information resources owned or used by the organization, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information to maintain or support its operations. (b) Risk Management and Strategy (1) Processes for Assessing, Identifying, and Managing Cybersecurity Risks : The Company has established processes to assess, identify, and manage material risks arising from cybersecurity threats. These processes are integrated into the Company’s’ overall risk management system. Specifically: - The addition of an experienced Chief Information Security Officer (“CISO”) with over 25 years of experience to lead the IT Cybersecurity and Compliance team. - Yearly risk assessment designed to help identify material cybersecurity risks to our Information Systems and Data. - A security incident response team that is responsible for managing our cybersecurity risk, security controls, response, and reporting cybersecurity incidents. - A cyber and data security incident response plan with policies and procedures for identifying, managing, and recovering from cybersecurity incidents, including escalating tiers of notification and reporting depending on an incident’s nature and severity. - The use of third-party service providers, where appropriate, to manage, assess, test, and assist with aspects of our security controls, such as: ◦ 24/7 Security Operations Center Managed Services (“SOC”) to monitor our cyber environment, correlate logs from all technology assets to identify potential signs of compromise and perform threat hunt exercises. ◦ Enterprise-grade email security system managed services. ◦ Perform penetration tests, vulnerability assessments, and vulnerability scans of our customer-facing sites, among others. ◦ Prevention of denial-of-service attacks - Cybersecurity insurance designed to reduce the risk of loss resulting from cybersecurity incidents. - Policies and procedures related to cybersecurity matters, including but not limited to Acceptable Standards of Use of Technology Systems, Confidential/Sensitive Information and Credit Card Handling Policy, encryption standards, antivirus protection, wireless and remote access, multi-factor authentication, access and change control, and physical security. - Employee cybersecurity awareness by performing ongoing phishing exercises, and mandatory privacy and cybersecurity training (including spear phishing and other awareness training) for employees. (2) Material Effects of Cybersecurity Threats : The Company consistently identifies and evaluates cybersecurity threats that could significantly impact our business strategy, financial condition, and operational results. As of fiscal 2024 year-end, no significant cybersecurity threats or incidents have materially impacted our strategy or operational results. For a description of the risks related to cybersecurity that may materially affect us and how they may do so, see the “Risk Factors-Risks Related to Cybersecurity” section of this Report. (c) Governance (1) Board of Directors Oversight : The Board of Directors plays a crucial role in overseeing the Company’s management of cybersecurity risks. The Audit and Risk Management Committee is specifically tasked with this responsibility, and it regularly reports to our Board regarding its activities, including those related to cybersecurity risk management. Our Board also receives periodic briefings from management on our cybersecurity risk management program, including presentations on cybersecurity topics from our Chief Transformation Officer, Chief Information Officer, internal information security team, and third-party experts. These briefings cover the current threat landscape, ongoing cybersecurity initiatives, and the Company’s response to significant incidents. (2) Management’s Role in Cybersecurity Risk Management : Management is actively involved in assessing and managing material risks from cybersecurity threats. The following processes are in place: - Responsible Positions/Committees: The Chief Transformation Officer, Chief Information Officer, and Chief Information Security Officer are responsible for assessing and managing cybersecurity risks. The individuals in these roles possess extensive expertise in cybersecurity. Specifically, the Chief Transformation Officer has over 30 years of experience in extensive technology and executive leadership experience across diverse industries, the Chief Information Officer has over 25 years in Information Technology across multiple industries, and the Chief Information Security Officer has over 25 years in Security, Risk, Audit, and Compliance across various sectors, including both public and private. - Monitoring and Response Processes: We have established processes to inform and monitor cybersecurity incidents for prevention, detection, and resolution using a 24/7 third-party SOC Managed Service. The SOC is responsible for providing alerts, updates, and remediation services as needed by monitoring all technology assets for potential signs of compromise and conducting threat hunt exercises. - Reporting to the Board: Information about cybersecurity risks is regularly reported to the Board of Directors or its relevant committee. This reporting includes updates on the Company’s cybersecurity risk profile, significant incidents, and the effectiveness of mitigation strategies.

Company Information