Risk management and strategy

Our cybersecurity program is designed to protect our network and information systems from cybersecurity threats and to ensure the confidentiality, integrity, and availability of our systems and information. We place special weight on protecting sensitive information, such as the personal information of our clients, subscribers, and employees, and our digital content and other confidential information and intellectual property that could be leveraged by a malicious actor. This involves a comprehensive and ongoing effort to protect against, detect, and respond to cybersecurity threats and vulnerabilities.

We maintain a multidisciplinary enterprise risk management process overseen by our office of Corporate Risk Management (“CRM”), which provides for the identification, evaluation, management, monitoring, and reporting of risks and opportunities within the Company, including cybersecurity risks. The CRM, with oversight from the Audit Committee of the Company, reviews the effectiveness of this process on an annual basis. With respect to cybersecurity, we employ a strategy, aligned with our business objectives and strategic risk management, based on the principles of the National Institute of Standards and Technology Internal Report 8286, “Integrating Cybersecurity and Enterprise Risk Management,” to identify and address internal and external risks.

Our cybersecurity program includes a number of components, such as the adoption of information security protocols, standards, guidelines, and policies consistent with industry-standard practices; tools for threat detection, access controls, risk assessments related to cybersecurity and data privacy; vulnerability testing; and internal audits of the Company’s information security protocols. Our cybersecurity program is currently certified as compliant with International Organization for Standardization 27001 and the Payment Card Industry Data Security Standard.

We maintain a training and security awareness program for all employees of the Company. This program consists of deploying training courses, information capsules, webinars, and anti-phishing tests to our employees. It also includes other elements, such as questionnaires, to evaluate the effectiveness of the program, strengthen the permanence of security knowledge within the Company, and increase security awareness in our employees.

Our cybersecurity program includes the deployment of other preventive controls such as annual penetration tests and vulnerability assessments performed by specialized technical internal personnel on our systems, applications, and critical infrastructure. We also maintain an internal team that hunts, collects, monitors, and analyzes industry-specific, regional, and global cybersecurity threat intelligence for possible external threats to the Company.

The Company relies on external security advisors and other third-party information security professionals, who perform annual threat hunting exercises on our infrastructure and critical systems to identify and remove any possible malicious artifacts and threats in our environments, manage a security operations center, and manage and monitor our information security tools. The external security advisors also provide an independent periodic assessment regarding the controls in our environments, which are aimed at strengthening and improving our security practices.

We also maintain an incident response framework for the identification, evaluation, and management of cybersecurity incidents. This framework provides information on how personnel should prepare, detect, analyze, contain, eradicate, and recover from a security incident, including the monitoring of remediation efforts. It also contains an internal, risk-based escalation framework designed to ensure that all relevant individuals are promptly informed of any cybersecurity incident and dictates procedures for determining whether a cybersecurity incident is material, without unreasonable delay.

In the ordinary course of our business, we rely on third-party service providers (“TPSPs”) to collect, process and store certain personal information and other data related to us, our clients and subscribers, and our digital content. We assess the cybersecurity practices of our TPSPs prior to onboarding through a variety of measures, including a due diligence process designed to assess and manage the potential cybersecurity risks posed by such TPSPs to the Company. This process involves the evaluation of security questionnaires and the performance of a business impact analysis, review of General Information Technology Controls reports, and periodic, risk-based monitoring and security reviews of TPSPs following onboarding. Despite these measures, we are reliant on the security practices of our TPSPs, which may be outside of our direct control.

While we experience minor data and cybersecurity incidents from time to time, as of the date of this report and for the time period of January 1, 2024, through December 31, 2024, the Company has no evidence of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, there can be no guarantee that we will not be materially affected by such risks in the future. For information on the cybersecurity threats and risks we face and the potential impacts on the business related thereto, see Item 3.D. Risk Factors – Any Incidents Affecting Our Network and Information Systems or Other Technologies Could Have an Adverse Impact on Our Business, Reputation and Results of Operations.

Our cybersecurity program is designed to protect our network and information systems from cybersecurity threats and to ensure the confidentiality, integrity, and availability of our systems and information. We place special weight on protecting sensitive information, such as the personal information of our clients, subscribers, and employees, and our digital content and other confidential information and intellectual property that could be leveraged by a malicious actor. This involves a comprehensive and ongoing effort to protect against, detect, and respond to cybersecurity threats and vulnerabilities.

We maintain a multidisciplinary enterprise risk management process overseen by our office of Corporate Risk Management (“CRM”), which provides for the identification, evaluation, management, monitoring, and reporting of risks and opportunities within the Company, including cybersecurity risks. The CRM, with oversight from the Audit Committee of the Company, reviews the effectiveness of this process on an annual basis. With respect to cybersecurity, we employ a strategy, aligned with our business objectives and strategic risk management, based on the principles of the National Institute of Standards and Technology Internal Report 8286, “Integrating Cybersecurity and Enterprise Risk Management,” to identify and address internal and external risks.

Our cybersecurity program includes a number of components, such as the adoption of information security protocols, standards, guidelines, and policies consistent with industry-standard practices; tools for threat detection, access controls, risk assessments related to cybersecurity and data privacy; vulnerability testing; and internal audits of the Company’s information security protocols. Our cybersecurity program is currently certified as compliant with International Organization for Standardization 27001 and the Payment Card Industry Data Security Standard.

We maintain a training and security awareness program for all employees of the Company. This program consists of deploying training courses, information capsules, webinars, and anti-phishing tests to our employees. It also includes other elements, such as questionnaires, to evaluate the effectiveness of the program, strengthen the permanence of security knowledge within the Company, and increase security awareness in our employees.

Our cybersecurity program includes the deployment of other preventive controls such as annual penetration tests and vulnerability assessments performed by specialized technical internal personnel on our systems, applications, and critical infrastructure. We also maintain an internal team that hunts, collects, monitors, and analyzes industry-specific, regional, and global cybersecurity threat intelligence for possible external threats to the Company.

Our Board of Directors takes an active role in overseeing the management of cybersecurity risks to the Company. Primary responsibility for cybersecurity oversight has been delegated to the Audit Committee. The Audit Committee receives regular updates from members of the Corporate Committee on cybersecurity matters, including information related to incidents (if any) that occurred during the reporting period, trending topics, and compliance with internal processes. The Audit Committee provides quarterly reports on cybersecurity issues to the Board.