E.W. SCRIPPS Co 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

E.W. SCRIPPS Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 15:34:31 EDT.

Filings

10-K filed on 2025-03-12

E.W. SCRIPPS Co filed a 10-K at 2025-03-12 15:34:31 EDT
Accession Number: 0000832428-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Protecting our systems and data from cyber threats is important for ensuring the continuity of operations and maintaining the trust of our customers and stakeholders. Scripps is committed to the transparent and ethical use of the personal data in its care and complying with applicable privacy-related regulations. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected our business, our business strategy, our results of operations or financial condition. For further information, see “We will continue to face cybersecurity and similar risks, which could result in the disclosure of confidential information, disruption of operations, damage to our brands and reputation, legal exposure and financial losses” in Item 1A, Risk Factors of this Annual Report. In the event an attack or other intrusion were to be successful, we have a trained response team of internal and external resources that are prepared to respond. Cybersecurity Program Scripps is committed to having a strong cybersecurity program and employs a chief information security officer (“CISO”) to oversee the cybersecurity leadership team. The team manages governance, risk and compliance, security operations, and identity and access management. Scripps routinely identifies and considers potential improvements to its cybersecurity program based on the threat landscape. Improvements may include adjustments to staffing, processes or the acquisition of new technology. When such potential improvements are identified, the Company weighs the costs and benefits of such improvements (including against other potential improvements) and, if selected, the improvements are added to a roadmap for possible implementation. Scripps has implemented certain physical, administrative and technical controls to help secure its enterprise environment and products. Cybersecurity controls include, but are not limited to, the following measures: - Enforce controls that limit access based on job responsibilities and enforcing authentication measures, including strong password policies and multifactor authentication where appropriate. - Conduct exercises to ensure the company is prepared to respond to cyber incidents. - Align the cybersecurity program with the National Institute of Standards and Technology cybersecurity framework. - Scan our systems for vulnerabilities that may potentially impact our enterprise or products, categorize them based on severity and where possible, proactively address them to prevent exploitation by threat actors. - Employ a trained incident response team and a managed security service provider to identify and mitigate incidents that bypass our cybersecurity controls to minimize impact to operations. Incident Response Plan The Integrated Incident Response Program is reviewed at least annually to ensure alignment with any changes in notification laws, company structure and operations, service providers and the risk landscape. The Cyber Incident Response Plan includes materiality assessments in accordance with the new U.S. Securities and Exchange Commission (“SEC”) cybersecurity rules. This same process is also used to address materiality as it relates to non-cyber events, should they occur. Tabletop exercises are conducted periodically to assess readiness for plan execution. Any actual or suspected security incident is reported to the CISO. Cybersecurity incidents are evaluated under the Integrated Incident Response Program and flow to the Enterprise Response Team according to clearly defined escalation criteria. 21 Oversight Cybersecurity is a key risk included in risk management discussions on the Governance, Risk and Compliance committee that meets quarterly before board meetings. The Board of Directors oversees cybersecurity and technology risks through the Audit Committee , which receives quarterly updates from the CISO. Intermittent updates are provided to the full Board for educational purposes or when special needs arise. Our chief privacy officer oversees an enterprise wide privacy program that includes annual training; a “privacy by design” ethos within development teams; privacy-specific contract reviews; and an enterprise wide privacy platform to manage rights, requests and consent management. Privacy Scripps is committed to data governance and protection. We recognize the importance of safeguarding personal information in today’s digital landscape. Our comprehensive Privacy Policy provides a clear definition of “personal data” and outlines where and how the policy applies. The policy details our methods for collecting and storing personal data, explains users’ rights and addresses additional privacy-related matters. We maintain transparency by keeping our Privacy Policy updated and making it available across all relevant digital platforms. Employee Training Programs We launch separate, annual web-based learning modules on cybersecurity, privacy and various security topics such as phishing, password hygiene and data governance to all employees. The annual security awareness training is reinforced through regular phishing simulations across the enterprise to provide employees with practical exposure to phishing campaigns. Employees who fail phishing simulations must complete additional training.

Company Information