The cybersecurity incident identified on October 17, 2021 resulted in the loss in the fourth quarter of
2021 of approximately $63 million of advertising revenue, primarily related to our broadcast segment, as well as approximately $7 million through the date of filing of this Form 10-K in costs and
expenses related to mitigation efforts, our investigation and the security improvements resulting therefrom. However, we did not pay the ransom that was being sought as a result of the cybersecurity incident.
These amounts exceeded the limits under our insurance policies and thus, based on the known effects of the cyber incident, the Company estimates that the
cyber incident has resulted in approximately $20 million of unrecoverable net loss through the date of filing of this Form 10-K. Although we have received $30 million in reimbursement proceeds from
our insurance policies through the date of filing of this Form 10-K, there can be no assurance that the insurance policies will pay their full coverage or the timing of such additional reimbursements. In
addition, the Company may incur additional cyber incident response costs, and the estimated unrecoverable net loss above does not include an estimate of any liability the Company may have in the event that litigation or regulatory proceedings result
from the incident.
We recurringly identify cyber threats as well as vulnerabilities in our systems and work to address them. Despite our efforts and the
efforts of our third-party vendors to ensure the integrity of our software, computers, systems and information, we may not be able to anticipate, detect or recognize threats to our systems and assets, or to implement effective preventive measures
against all cyber threats, especially because the techniques used are increasingly sophisticated, change frequently, are complex, and are often not recognized until launched. Cyber attacks can originate from a variety of sources, including external
parties who are affiliated with foreign governments or are involved with organized crime or terrorist organizations. Third parties may also attempt to induce employees, customers or other users of our systems to disclose sensitive information or
provide access to our systems or network, or to our data or that of our counterparties, and these types of risks may be difficult to detect or prevent. We expect cyber attack and breach incidents to continue, and we are unable to predict the direct
or indirect impact of future attacks or breaches on our business operations.
Investigations of cyber attacks are inherently unpredictable, and it takes
time to complete an investigation and have full and reliable information. While we are investigating a cyber attack, we do not necessarily know the extent of the harm or how best to remediate it, and we can repeat or compound certain errors or
actions before we discover and remediate them.
The occurrence of a cyber attack, breach, unauthorized access, misuse, ransomware, computer virus or other
malicious code or other cybersecurity event could jeopardize or result in the unauthorized disclosure, gathering, monitoring, misuse, corruption, loss or destruction of confidential and other information that belongs to us, our customers, our
counterparties, our employees, and third-party service providers that is processed and stored in, and transmitted through, our computer systems and networks. The occurrence of such an event could also result in damage to our software, computers or
systems, or otherwise cause interruptions or malfunctions in our, our customers, our counterparties or third parties operations. This could result in significant financial losses, loss of customers and business opportunities,
reputational damage, litigation, regulatory fines, penalties, significant intervention, reimbursement or other compensatory costs, significant costs to investigate the event, remediate vulnerabilities and modify our protective measures, or otherwise
adversely affect our business, financial condition or results of operations. While we maintain insurance to cover losses related to cybersecurity risks and business interruption, such policies, as was the case with respect to the October 2021
cybersecurity incident, may not be sufficient to cover all losses of this incident or any future incidents.
Data privacy, data protection, and
information security may require significant resources and present certain risks.
We collect, store, have access to and otherwise process certain
confidential or sensitive data, including proprietary business information, personal data or other information that is subject to privacy and security laws, regulations and/or customer-imposed controls. Despite our efforts to protect such data, we
may be vulnerable to material security breaches, theft, misplaced or lost data, programming errors, or employee errors that could potentially lead to the compromising of such data, improper use of our systems, software solutions or networks,
unauthorized access, use, disclosure, modification or destruction of information, and operational disruptions. In addition, we operate in an environment in which there are different and potentially conflicting data privacy laws in effect in the
various U.S. states in which we operate, and we must understand and comply with each law and standard in each of these jurisdictions while ensuring the data is secure. Our failure to comply with those regulations or to adequately secure the
information we hold could result in significant liability or reputational harm.
6