Warner Bros. Discovery, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Warner Bros. Discovery, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 12:21:20 EST.

Filings

10-K filed on 2025-02-27

Warner Bros. Discovery, Inc. filed a 10-K at 2025-02-27 12:21:20 EST
Accession Number: 0001437107-25-000031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity). However, our procedures may not be sufficient to adequately mitigate the negative impacts of a cyber breach or adverse event and we may not have adequate insurance coverage to compensate us for any losses that may occur. If our or our service providers’ information security systems or data are compromised, such compromises could result in a disruption of services or a reduction of the revenues we are able to generate from such services, damage to our brands and reputation, a loss of confidence in the security of our offerings and services, and significant legal, regulatory and financial exposure, each of which could potentially have an adverse effect on our business. 25 Our business, financial condition and results of operations may be negatively impacted by the outcome of uncertainties related to litigation. From time to time, we are subject to a number of legal claims, regulatory investigations, litigation actions (asserted individually and/or on behalf of a class), and/or arbitration proceedings, both in the U.S. and in foreign countries, including, at any particular time, claims relating to antitrust, intellectual property, employment, wage and hour, consumer privacy, regulatory and tax proceedings, contractual and commercial disputes, and the production, distribution, and licensing of our content. We also spend substantial resources complying with various government standards, including any related investigations and litigation. We may incur significant expenses defending such suits or government charges and may be required to pay amounts or otherwise change our operations in ways that could materially adversely affect our business, financial condition and results of operations. This could result in an increase in our cost for defense or settlement of claims or indemnification obligations if we were to be found liable in excess of our historical experience. Even if we believe a claim is without merit, and/or we ultimately prevail, defending against the claim could be time-consuming and costly and divert our management’s attention and resources away from our business. In addition, our insurance may not be adequate to protect us from all significant expenses related to pending and future claims and our current levels of insurance may not be available in the future at commercially reasonable prices. Any of these factors could adversely affect our business, financial condition and results of operations. Global economic conditions and other global events may have an adverse effect on our business. Our business is significantly affected by prevailing economic conditions and levels of consumer discretionary spending. A downturn in global economic conditions may negatively affect our current and potential customers, particularly advertisers whose expenditures are sensitive to general economic conditions, vendors and others with whom we do business and their ability to satisfy their obligations to us. For example, the imposition of tariffs by the U.S. government on imported goods and any retaliatory tariffs from foreign governments could result in increased costs and uncertainty that negatively affect global economic conditions and activity. In addition, inflationary conditions or an increase in price levels generally increases our content production costs and other costs of doing business, which could negatively affect our profitability. Further, a high interest rate environment, whether arising out of a policy response to inflationary conditions or otherwise, increases the costs of our securitization portfolio, which may also negatively affect our results of operations. Decreases in consumer discretionary spending in the U.S. and other countries where our content is distributed may cause a decrease in cable television subscriptions, subscriptions to our DTC products, or movie theater attendance to view our feature films, among others, all of which may negatively affect our revenues and results of operations. In addition, our business and operations has been, and in the future could be, disrupted or impacted by other global events, including political, social, or economic unrest, terrorism, hostilities, natural disasters such as earthquakes, or pandemics. For example, the COVID-19 pandemic had numerous effects on our business including a decrease in advertising revenues, a postponement of significant live events, and reduced movie theater attendance. Other global events in the future could disrupt our business and operations in unpredictable ways. The market price of our common stock has been highly volatile and may continue to be volatile due, in part, to circumstances beyond our control. The market price of our common stock has fluctuated, and may continue to fluctuate, due to many factors, some of which may be beyond our control. These factors include, without limitation: - actual or anticipated variations in our financial and operating results; - changes in our estimates, guidance or business plans; - variations between our actual results and expectations of securities analysts, or changes in financial estimates and recommendations by securities analysts; - market sentiment about our industry in general or our business in particular, including our level of debt, our leverage ratio, credit ratings, and our ability to effectively compete in the categories and industries in which we operate; - sales of our stock in the public market by our stockholders, some of whom, together with their affiliates, hold large amounts of our stock; - the activities, operating results or stock price of our competitors, or other industry participants; - spending on domestic and foreign television and digital advertising; - the announcement or completion of significant transactions by us or a competitor; - overall general market fluctuations and other events affecting the stock market generally; and - the economic and political conditions in the U.S. and internationally, as well as other factors described in this Item 1A. 26 Some of these factors may adversely impact the price of our common stock, regardless of our operating performance. Further, volatility in the price of our common stock may negatively impact our business, including by limiting our financing options for acquisitions and other business expansion. Our participation in multiemployer defined benefit pension plans could subject us to liabilities that could adversely affect our business, financial condition and results of operations. We contribute to various multiemployer defined benefit pension plans (the “multiemployer plans”) under the terms of collective bargaining agreements that cover certain of our union-represented employees which could subject us to liabilities in certain circumstances. The amount of funds we may be obligated to contribute to multiemployer plans in the future cannot be estimated, as these amounts are based on future levels of work of the union-represented employees covered by the multiemployer plans, investment returns and the funding status of such plans. As of December 31, 2024, we were an employer that provided more than 5% of total contributions to certain of the multiemployer plans in which we participate. If we choose to stop participating or substantially reduce participation in certain of these plans, we may be subject to a withdrawal liability. In addition, actions taken by any other participating employer that lead to a deterioration of the financial health of a multiemployer plan may result in the unfunded obligations of the multiemployer plan being borne by its remaining participating employers, including us. To the extent a multiemployer plan is underfunded or in endangered, seriously endangered or critical status, additional required contributions and benefit reductions may apply. We currently contribute to multiemployer plans that are underfunded, and, as such, under federal law we may be subject to substantial liabilities in the event of a complete or partial withdrawal from, or a voluntary or involuntary withdrawal from, or termination of, such plans. There can be no assurance that we will not be subject to liabilities in the future due to the foregoing or other circumstances that may arise in connection with these plans or that we can adequately mitigate these costs, any of which could materially adversely affect our business, financial condition and results of operations. ITEM 1B. Unresolved Staff Comments. None. ITEM 1C. Cybersecurity. We have a cybersecurity program to assess and manage risks to the confidentiality, integrity, and availability of our data, networks and technology assets across WBD. Our board of directors oversees risk management at WBD and has delegated functional oversight of cybersecurity and information technology risks to the Audit Committee. Our Chief Information Security Officer (“CISO”) is responsible for the management of such risks and oversees a global organization whose responsibilities include proactively managing and monitoring information and content security, cybersecurity risk, and processes to enable secure and resilient access to, and use of, WBD products and services. Our cybersecurity risk management processes are aligned and integrated into our overall enterprise risk management approach. Risk Management and Strategy We have a cybersecurity risk management strategy for safeguarding our digital assets that includes both technical and non-technical cybersecurity controls. Our multi-layered technical defense involves a series of protective measures across various levels of our technology environment. This includes fortifying our network perimeter through intrusion detection and prevention systems, securing individual devices with antivirus solutions and endpoint detection, implementing network security measures, and ensuring the resilience of applications. In addition to these technical security solutions, we also leverage non-technical methods, such as promoting a cybersecurity-conscious culture throughout WBD which includes mandatory annual cybersecurity training for all employees, a regular cadence of cybersecurity messaging to our employees, and frequent phishing simulations. Further, we engage independent third parties to conduct annual internal and external penetration testing and independent assessments of our cybersecurity risk management practices using the National Institute of Standards and Technology’s cybersecurity framework and other leading industry practices as guidelines . We also engage an independent third party to conduct a biennial cybersecurity maturity assessment to evaluate the maturity of our entire cybersecurity program. We also invest in cybersecurity incident detection and response. Our Cybersecurity Operations Center provides continuous threat monitoring and anomaly detection that is intended to prevent or minimize damage from a cybersecurity attack. We have a Cybersecurity Incident Response Plan that establishes procedures, roles, responsibilities, and communication protocols for WBD executive management and technical staff in the event of a cybersecurity incident. We test the efficacy of the Cybersecurity Incident Response Plan and assess our response capabilities by conducting annual tabletop exercises that simulate cybersecurity threat scenarios. 27 We have ongoing processes to identify and assess cybersecurity risks associated with current and prospective third-party service providers. These processes include a vendor cybersecurity compliance assessment at the time of onboarding, contract renewal and/or as needed in the event of a cybersecurity incident affecting such third-party vendor. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and notify us in the event of a cybersecurity incident that impacts us. We have established cybersecurity information sharing and collaboration practices with both government agencies and industry partners, which we believe enhances our overall cybersecurity resilience. Governance We have established a cybersecurity governance structure to engage appropriate stakeholders. Our CISO is informed about and monitors our prevention, detection, mitigation and remediation efforts related to cyber threats through regular communication and reporting from our information security team. Our Chief Financial Officer, our Chief Legal Officer, our Chief Audit and Risk Officer and our Chief Information Officer also have input and involvement in our cybersecurity program. Our board of directors has an active role, as a whole and at the committee level, in overseeing the Company’s overall risk management, including cybersecurity risks. Our board of directors has delegated responsibility for cybersecurity and information technology risks to our Audit Committee and is regularly informed about such risks through committee reports and other presentations. Our Audit Committee regularly reviews and discusses our cybersecurity risks and is updated quarterly by our CISO on how we identify, assess and mitigate those risks. Our Audit Committee receives quarterly updates from our CISO on our cybersecurity risk posture, the status of projects to strengthen and enhance our cybersecurity program, the evolving threat landscape, and cybersecurity incident reports and learnings. The Audit Committee also periodically devotes additional meeting time, as needed, to in-depth discussions on a particularly relevant cybersecurity topic or to education on developments in the realm of cybersecurity. In addition to the quarterly incident reports, cybersecurity incidents meeting pre-determined criteria are reported to the Audit Committee outside of regularly scheduled quarterly updates and to WBD executive management as needed. Our CISO has over 30 years of expertise in global digital and information security, cybersecurity risk management, data privacy and compliance across diverse industries including media and entertainment, biotechnology, pharmaceuticals, financial services, and government defense sectors and holds multiple industry-recognized certifications including, among others, a Certificate of Cybersecurity Oversight from the National Association of Corporate Directors and a Certified Information Systems Security Professional certification. We periodically experience cybersecurity incidents, but, as of December 31, 2024, we are not aware of any such incidents that have materially impacted or are reasonably likely to materially impact our business, financial condition or results of operations. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced undetected cybersecurity incidents or will not discover additional information about previously detected events. See Item 1A, “Risk Factors” for details on the risks from cybersecurity threats that we face.
ITEM 1C. Cybersecurity. We have a cybersecurity program to assess and manage risks to the confidentiality, integrity, and availability of our data, networks and technology assets across WBD. Our board of directors oversees risk management at WBD and has delegated functional oversight of cybersecurity and information technology risks to the Audit Committee. Our Chief Information Security Officer (“CISO”) is responsible for the management of such risks and oversees a global organization whose responsibilities include proactively managing and monitoring information and content security, cybersecurity risk, and processes to enable secure and resilient access to, and use of, WBD products and services. Our cybersecurity risk management processes are aligned and integrated into our overall enterprise risk management approach. Risk Management and Strategy We have a cybersecurity risk management strategy for safeguarding our digital assets that includes both technical and non-technical cybersecurity controls. Our multi-layered technical defense involves a series of protective measures across various levels of our technology environment. This includes fortifying our network perimeter through intrusion detection and prevention systems, securing individual devices with antivirus solutions and endpoint detection, implementing network security measures, and ensuring the resilience of applications. In addition to these technical security solutions, we also leverage non-technical methods, such as promoting a cybersecurity-conscious culture throughout WBD which includes mandatory annual cybersecurity training for all employees, a regular cadence of cybersecurity messaging to our employees, and frequent phishing simulations. Further, we engage independent third parties to conduct annual internal and external penetration testing and independent assessments of our cybersecurity risk management practices using the National Institute of Standards and Technology’s cybersecurity framework and other leading industry practices as guidelines . We also engage an independent third party to conduct a biennial cybersecurity maturity assessment to evaluate the maturity of our entire cybersecurity program. We also invest in cybersecurity incident detection and response. Our Cybersecurity Operations Center provides continuous threat monitoring and anomaly detection that is intended to prevent or minimize damage from a cybersecurity attack. We have a Cybersecurity Incident Response Plan that establishes procedures, roles, responsibilities, and communication protocols for WBD executive management and technical staff in the event of a cybersecurity incident. We test the efficacy of the Cybersecurity Incident Response Plan and assess our response capabilities by conducting annual tabletop exercises that simulate cybersecurity threat scenarios. 27 We have ongoing processes to identify and assess cybersecurity risks associated with current and prospective third-party service providers. These processes include a vendor cybersecurity compliance assessment at the time of onboarding, contract renewal and/or as needed in the event of a cybersecurity incident affecting such third-party vendor. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and notify us in the event of a cybersecurity incident that impacts us. We have established cybersecurity information sharing and collaboration practices with both government agencies and industry partners, which we believe enhances our overall cybersecurity resilience. Governance We have established a cybersecurity governance structure to engage appropriate stakeholders. Our CISO is informed about and monitors our prevention, detection, mitigation and remediation efforts related to cyber threats through regular communication and reporting from our information security team. Our Chief Financial Officer, our Chief Legal Officer, our Chief Audit and Risk Officer and our Chief Information Officer also have input and involvement in our cybersecurity program. Our board of directors has an active role, as a whole and at the committee level, in overseeing the Company’s overall risk management, including cybersecurity risks. Our board of directors has delegated responsibility for cybersecurity and information technology risks to our Audit Committee and is regularly informed about such risks through committee reports and other presentations. Our Audit Committee regularly reviews and discusses our cybersecurity risks and is updated quarterly by our CISO on how we identify, assess and mitigate those risks. Our Audit Committee receives quarterly updates from our CISO on our cybersecurity risk posture, the status of projects to strengthen and enhance our cybersecurity program, the evolving threat landscape, and cybersecurity incident reports and learnings. The Audit Committee also periodically devotes additional meeting time, as needed, to in-depth discussions on a particularly relevant cybersecurity topic or to education on developments in the realm of cybersecurity. In addition to the quarterly incident reports, cybersecurity incidents meeting pre-determined criteria are reported to the Audit Committee outside of regularly scheduled quarterly updates and to WBD executive management as needed. Our CISO has over 30 years of expertise in global digital and information security, cybersecurity risk management, data privacy and compliance across diverse industries including media and entertainment, biotechnology, pharmaceuticals, financial services, and government defense sectors and holds multiple industry-recognized certifications including, among others, a Certificate of Cybersecurity Oversight from the National Association of Corporate Directors and a Certified Information Systems Security Professional certification. We periodically experience cybersecurity incidents, but, as of December 31, 2024, we are not aware of any such incidents that have materially impacted or are reasonably likely to materially impact our business, financial condition or results of operations. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced undetected cybersecurity incidents or will not discover additional information about previously detected events. See Item 1A, “Risk Factors” for details on the risks from cybersecurity threats that we face.

Company Information