DAILY JOURNAL CORP 10-K Cybersecurity GRC - 2024-12-30

Page last updated on December 31, 2024

DAILY JOURNAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-30 18:14:24 EST.

Filings

10-K filed on 2024-12-30

DAILY JOURNAL CORP filed a 10-K at 2024-12-30 18:14:24 EST
Accession Number: 0001437749-24-038552

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company is committed to safeguarding its information systems and data against evolving cybersecurity threats. With operations spanning traditional publishing and the technology-driven Journal Technologies segment, the Company prioritizes robust cybersecurity measures to protect its operations, customers, and stakeholders. The Company employs a comprehensive cybersecurity risk management framework to identify, assess, and address risks that could impact business operations, sensitive client data, and the Company’s portfolio of marketable securities. This framework incorporates: 1. Technology Solutions : Prioritizing the security of Journal Technologies’ court and justice software systems, which manage critical data and workflows. 2. Traditional Business : Protecting the systems and data supporting the Company’s publishing and printing operations. 3. Financial Portfolio : Securing systems and processes related to the management of the Company’s substantial marketable securities portfolio. Governance and Oversight The Company’s Board of Directors as a whole supervises the Company’s cybersecurity strategy and regularly reviews cybersecurity risks, incident reports, and risk mitigation initiatives. Journal Technologies has a Chief Information Security Office (CISO) made up of internal cybersecurity practitioners who evaluate, identify, and mitigate significant risks posed by cybersecurity threats, with a focus on safeguarding the Company’s technology, data, and intellectual property. In August 2024, Journal Technologies hired a Director of Security Operations to lead the CISO team. With extensive IT leadership experience and a Certified Information Systems Security Professional (CISSP) credential, the Director oversees security strategies, incident response plans, and risk assessments. Reporting directly to senior management, the Director works closely with internal teams and external experts to align Journal Technologies’ practices with industry standards. - 19 - The Company has also established a dedicated Cybersecurity Working Group, with members from both the Traditional Business and Journal Technologies, to collaborate on threat intelligence, incident response strategies, policy alignment, and security technology advancements. This partnership ensures both entities remain proactive in addressing evolving threats and benefit from shared expertise to implement coordinated security measures. The Company’s senior management works closely with the CISO and the Cybersecurity Working Group to identify matters requiring the attention of the Board of Directors. Cybersecurity Practices and Safeguards The Company uses a multi-layered approach to cybersecurity, including: - Threat Detection and Response : The Company employs enterprise security systems as the backbone of a defense in depth (DiD) strategy, such as patch management, intrusion detection, and network segmentation. A managed detection and response (MDR) solution from a world-class security company unifies our antivirus/malware (NGAV), endpoint detection and response (EDR), cyber threat intelligence, managed threat hunting capabilities, and security hygiene. - Employee Training and Awareness : The Company provides regular cybersecurity training for employees to enhance awareness of common threats, such as phishing and ransomware. All Journal Technologies employees undergo annual CJIS training and certification. - Risk Register : The Company maintains a central Risk Register as part of its cybersecurity risk management framework. This Risk Register identifies risks and their potential impacts, mitigation strategies, and ongoing monitoring efforts. - Third-Party Risk Management : The Company evaluates third-party vendors prior to onboarding to ensure they have industry standard best practices in place and, when applicable, verified by an external audit firm. The Company monitors third-party providers for breaches or other cybersecurity events and annually review each vendor’s SOC 2 audit reports. - Incident Response Planning : The Company maintains a formalized incident response (IR) plan to address and remediate cybersecurity incidents. The plan defines roles and responsibilities and includes runbooks for likely scenarios. The Company performs testing of the IR plan at least annually with the results reported to senior management. - Certifications : Several of the Company’s security personnel on the CISO team have and maintain CISSP, GCIH (GIAC Certified Incident Handler) and OSCP (Offensive Security Certified Professional) certifications. - 20 - - Business Continuity : The Traditional Business and Journal Technologies have each implemented a Business Continuity Plan and Disaster Recovery (BCP/DR) with procedures aimed at minimizing downtime and facilitating recovery of both internal and customer assets in the event of a service disruption. The plan includes clearly defined roles, step-by-step recovery processes, and prioritized action plans to address various scenarios, such as natural disasters, cyber incidents, and hardware failures. We regularly test and update our BCP/DRs. - Other Measures : The Company uses other measures to protect the Company and its employees from cyberattacks including: ○ Enforcing multi-factor authentication (MFA) for all systems ○ Deploying anti-phishing solutions to detect and block suspicious emails ○ Using single sign-on (SSO) solutions integrated with secure identity providers ○ Simulating phishing attacks to measure awareness and improve training programs ○ Implementing Security Information and Event Management (SIEM) systems for continuous monitoring and logging. Incident Reporting and Disclosure The Company adheres to strict protocols for evaluating and reporting cybersecurity incidents. Any incidents determined to have a material impact-assessed based on financial, operational, or reputational factors-are raised with the Board of Directors and, if necessary, disclosed in accordance with regulatory requirements.

Company Information