5&2 Studios, Inc. 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

5&2 Studios, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 16:36:46 EDT.

Filings

10-K filed on 2025-03-31

5&2 Studios, Inc. filed a 10-K at 2025-03-31 16:36:46 EDT
Accession Number: 0001410578-25-000582

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Management and Strategy Our business operations depend on the availability, integrity, and secure processing, storage, and transmission of confidential and sensitive information, including personal information, digitally and through interconnected systems, including those of our vendors, service providers, and other third parties on which we rely . We understand the importance of preventing, assessing, identifying, and managing material risks associated with cybersecurity threats, and as such, have implemented and maintain a cybersecurity risk management program to assess, identify and manage risks from cybersecurity threats. This program is integrated into our overall enterprise risk management process, and is embedded in our operating procedures, internal controls, and information systems. We also maintain a third-party security program to identify, prioritize, assess, mitigate and remediate third-party risks involving our vendors and service providers. However, we rely on the third parties to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. To manage our material risks from cybersecurity threats and to protect against, detect, and respond to cybersecurity incidents, we: ● Conduct periodic vulnerability assessments and mitigate vulnerabilities for our systems and processes that include sensitive data; ● Conduct regular security awareness trainings and phishing simulation attacks for our employees; ● Maintain cybersecurity risk insurance that provides an aggregate insurance policy coverage amount for protection against covered losses arising from a cybersecurity incident; ● Perform periodic gap analyses to review our cybersecurity controls for gaps and implement the closure actions; ● Regularly review and update at least annually our standard policies and procedures related to information technology and analyze those policies against the standards and controls set by organizations such as the National Institute of Standards and Technology cybersecurity framework and the International Organization for Standardization; ● Maintain a dedicated cybersecurity team under the direction of our Chief Information Security Officer (the “CISO”) , each of whom has expertise related to data and network security, data governance and risk management; ● Maintain, and we require our third-party service providers to maintain, security controls designed to ensure the confidentiality, integrity, and availability of our information systems and the confidential and sensitive information we maintain and process, or which is processed on our behalf; ● Maintain policies that require the escalation of any suspected or actual material cybersecurity incidents to our Board of Directors, and ● Have prepared and regularly review and test our business continuity, disaster recovery and other back-up plans, including as they relate to cybersecurity incidents. Our incident response plan coordinates the activities that we take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. While we, our business partners and affiliates, and our vendors and service providers are regularly exposed to malicious technology-related events and threats, none of these threats or incidents, either individually or in the aggregate of related occurrences, have had a material impact on our service, systems, business, financial condition, or results of operation of our business in the period covered by this report. In determining materiality, cybersecurity incidents are reviewed not only for potential financial impacts, which could include potential legal and regulatory penalties, stolen assets or funds, system damage, forensic and remediation costs, lost client revenue or litigation costs, but also the breadth and sensitivity of data exposure, data exfiltration, impacts on the ability to operate our business or provide our services, client dissatisfaction, and loss of investor confidence. Any significant disruption to our service or access to our systems could adversely affect our business, results of operation and reputation. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information or other sensitive information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition, and results of operations. See “Risk Factors - Cybersecurity.” Any significant disruption or unauthorized access to our computer systems or those of third parties that we utilize in our operations, including those relating to cybersecurity or arising from cybersecurity incidents or attacks, could result in a loss or degradation of service, unauthorized disclosure of data, including corporation information, or theft of intellectual property, including digital content assets, which could adversely impact our business." Governance Management has implemented risk management structures, policies, and procedures, and manages our risk exposure on a day-to-day basis. We have a cybersecurity organization within our operations department that focuses on current and emerging cybersecurity matters, which is overseen by our CISO . Senior management, including our CISO, regularly report to our Board, which actively oversees our risk management activities, including those related to cybersecurity. Our CISO is well qualified in the field of cybersecurity. These qualifications include years of experience in the IT and cybersecurity industry. The CISO works closely with key stakeholders, including internal committees such as the Finance and Audit Committee of the Board, in order to manage cybersecurity and information security risk. Our internal team, supplemented by outside cybersecurity advisors, is responsible for the testing and audit of our information-technology internal controls. In addition, leaders from our finance, legal and operations teams participate in incident response training designed to enhance our ability to respond to cybersecurity incidents quickly, efficiently and with the appropriate degree of urgency. The Finance and Audit Committee provides oversight relative to senior management’s handling of cybersecurity risks. Our Board actively oversees our risk management activities both directly and through its committees and considers various risk topics throughout the year, including cybersecurity and information security risk management and controls. As part of its oversight function, the Board oversees the Company’s risk assessment and risk management policies, including related to cybersecurity and the data protection program, and performs reviews and assessments of the primary operational and regulatory risks facing the Company, their relative magnitude and management’s plan for mitigating these risks. At least annually, our CISO reports to the full Board with a comprehensive report addressing a broad range of topics, including significant cybersecurity incidents that have occurred since the last update, the status of projects and initiatives to update our cybersecurity policies and practices, and ongoing efforts to prevent, detect, and respond to internal and external critical threats.

Company Information