Gannett Co., Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Gannett Co., Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 10:09:03 EST.

Filings

10-K filed on 2025-02-20

Gannett Co., Inc. filed a 10-K at 2025-02-20 10:09:03 EST
Accession Number: 0001579684-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats (as such term is defined in Item 106(a) of Regulation S-K), including, among other things, operational risks, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy or security laws and other litigation and legal risks, and reputational risks. We employ various processes and controls to aid in our efforts to identify, assess, and manage our material risks from cybersecurity threats and to protect against, detect, and respond to cybersecurity incidents (as such term is defined in Item 106(a) of Regulation S-K). To identify and assess material risks from cybersecurity threats, we consider and gather information with respect to the confidentiality, integrity, and availability of our information systems (as defined in Item 106(a) of Regulation S-K). We have adopted policies and procedures that are designed to assist us with managing identified risks at a system and organizational level and with assessing the materiality of the risk, its severity, and potential mitigations or remediations. Our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. The cybersecurity risk identification process includes: (i) identifying information systems and assets, including physical and virtual devices, software, data, data transfers, external systems, and cloud resources; (ii) reviewing organizational business processes, identities, access, and roles (including privileged access), asset configurations, technology policies, standards, controls, and processes; (iii) determining if those systems or assets process or store customer and/or employee personal data, (iv) analyzing the criticality of systems, assets and business processes and sensitivity of data; and (v) identifying vulnerabilities and threats to the identified systems, assets, data, and processes, from both internal and external sources, including through threat intelligence, previous cybersecurity incidents, and third-party assessments. Our processes also consider cybersecurity risks associated with our use of third-party service providers and business partners, including those in our supply chain and those who have access to our customer and employee data or our information systems. Identified third-party service provider and business partner risks are managed by our cybersecurity risk management program. In addition, cybersecurity and privacy considerations affect the selection and oversight of our third-party service providers and business partners, as well as third-party specific integration plans. Additionally, we generally require those third parties that could introduce significant cybersecurity or data privacy risk to us to agree by contract to comply with applicable data protection laws, and to manage their cybersecurity risks by implementing appropriate technical and organizational measures, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. We employ a range of tools and services to inform our risk preparedness, identification, assessment and remediation processes, including, among others, continuous monitoring, regular reoccurring security and compliance activities, training, 39 threat intelligence, business processes, change management, strategic planning, annual assessments, and periodic testing and assessments performed by qualified security personnel and by third-party firms. As part of the above-described processes, we engage with third-party firms to perform independent assessments, including internal and external penetration tests, configuration assessments, security plan and program assessments, compliance assessments, and incident response readiness exercises to help identify areas for continued focus, improvement and/or compliance. Identified risks are evaluated and assessed by the Company’s security review council, comprised of various security, technology, legal and privacy staff members and management. A member of management is assigned as the risk owner and takes an active role in managing the risk, including approving the risk response and risk treatment plan, as well as participating in assessing any residual risk after implementation of the treatment plan. Our Chief Information Security Officer oversees our cybersecurity risk management program. In the event of a potential material risk, the risk is reported to the Chief Information Security Officer, the Chief Technology Officer, the Chief Privacy Officer and to the legal department and the appropriate member of senior management responsible for the function where the risk has been identified. The risk is then reviewed by the Disclosure Committee, which includes among others, the Company’s Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, and Chief Accounting Officer to determine whether the risk is material for disclosure purposes in accordance with applicable rules and regulations. In 2024 , our business strategy, results of operations, and financial condition were not materially affected by risks from cybersecurity threats but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Risks Related to Cybersecurity and Artificial Intelligence” under Risk Factors in this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. Governance Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board of Directors and management. Our Board of Directors is responsible for the oversight of risks from cybersecurity threats. Each quarter or as needed, the Board of Directors receives an overview from management of our cybersecurity program and strategy covering topics such as cybersecurity incidents and response, progress towards pre-determined risk-mitigation-related goals, results from third-party assessments, cybersecurity staffing, compliance status, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to any such risks. In such sessions, our Chief Information Security Officer is available to the Board of Directors to discuss any relevant cybersecurity matters. In addition, at least bi-annually, the Chief Information Security Officer and Chief Technology Officer report to the Board of Directors about cybersecurity threat risks, among other cybersecurity related matters. Our cybersecurity risk management and strategy processes discussed above, are led by our Chief Information Security Officer and Chief Technology Officer , both of whom are Certified Information Systems Security Professionals. Specifically, our Chief Information Security Officer has approximately 10 years of experience developing cybersecurity strategy, incident response, and implementing cybersecurity programs for public media companies and is a certified boardroom Qualified Technology Expert and our Chief Technology Officer has approximately 16 years of experience developing cybersecurity strategy, incident response, and implementing cybersecurity programs .

Company Information