|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We strive to implement leading data protection standards to ensure a strong commitment to cybersecurity. Our Data Security Policy and Cybersecurity Incident Response Plan (“CIRP”), which is part of our enterprise wide risk management processes, guides our cybersecurity program. The CIRP, developed in consultation with an independent cybersecurity expert, includes processes for identifying, managing, and remediating cybersecurity incidents. We utilized the National Institute of Standards and Technology (“NIST”) and the Center for Internet Security (“CIS”) guidelines to develop and implement the CIRP, which is approved by our Chief Technology Officer (“CTO”). However, this should not be interpreted to mean that we meet any particular technical standards, specifications, or requirements, only that we used the NIST and CIS as a guide to help create develop and implement the CIRP. The CIRP is reviewed and updated annually. The Company’s cybersecurity risk management processes include ongoing monitoring and testing of its information systems and data to identify and respond to potential cybersecurity threats. Internally, the Company utilizes an enterprise Attack Surface Management tool to routinely scan for vulnerabilities to internal assets. Externally, we use third-party vendors to routinely conduct scans for vulnerabilities to external assets. In addition, our internal auditors along with management also conduct periodic monitoring of our internal controls over our data security and customer privacy systems and processes.
For many vendors for the Company, we request copies of standard security reports or assessments, such as System and Organization Controls (“SOC”) reports, to support our assessment of our. In collaboration with the National Association of Broadcasters, North American Broadcasters Association, and risk management vendors, we are also working to assemble broadcaster-specific guidelines for information technology vendor selection.
The Company provides security awareness training for all employees on a regular basis. The training is designed to educate and prepare employees to recognize unsafe practices and to properly respond to phishing attacks from email, social media, and other sources. Follow-up testing using simulated attack tools is used to validate the effectiveness of training and compliance.
Although we have systems and processes in place to protect against risks associated with cybersecurity incidents in the future, depending on the nature of an incident, these protections may not be fully sufficient. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or have been determined to be reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. For additional information regarding the risks from cybersecurity threats and incidents we face, see the section captioned “Operating Risks – Disruptions or security breaches of our information technology infrastructure could interfere with our operations, compromise client information and expose us to liability, possibly causing our business and reputation to suffer” within Part I, Item 1A. “Risk Factors”.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We strive to implement leading data protection standards to ensure a strong commitment to cybersecurity. Our Data Security Policy and Cybersecurity Incident Response Plan (“CIRP”), which is part of our enterprise wide risk management processes, guides our cybersecurity program. The CIRP, developed in consultation with an independent cybersecurity expert, includes processes for identifying, managing, and remediating cybersecurity incidents. We utilized the National Institute of Standards and Technology (“NIST”) and the Center for Internet Security (“CIS”) guidelines to develop and implement the CIRP, which is approved by our Chief Technology Officer (“CTO”). However, this should not be interpreted to mean that we meet any particular technical standards, specifications, or requirements, only that we used the NIST and CIS as a guide to help create develop and implement the CIRP. The CIRP is reviewed and updated annually. The Company’s cybersecurity risk management processes include ongoing monitoring and testing of its information systems and data to identify and respond to potential cybersecurity threats. Internally, the Company utilizes an enterprise Attack Surface Management tool to routinely scan for vulnerabilities to internal assets. Externally, we use third-party vendors to routinely conduct scans for vulnerabilities to external assets. In addition, our internal auditors along with management also conduct periodic monitoring of our internal controls over our data security and customer privacy systems and processes.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|Although we have systems and processes in place to protect against risks associated with cybersecurity incidents in the future, depending on the nature of an incident, these protections may not be fully sufficient. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or have been determined to be reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. For additional information regarding the risks from cybersecurity threats and incidents we face, see the section captioned “Operating Risks – Disruptions or security breaches of our information technology infrastructure could interfere with our operations, compromise client information and expose us to liability, possibly causing our business and reputation to suffer” within Part I, Item 1A. “Risk Factors”.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Management is responsible for the Company’s day-to-day risk management and the Board serves in an oversight role. The Board has empowered the Audit Committee with formal oversight of enterprise risk matters, including with respect to cybersecurity. The Audit Committee and management periodically review the Company’s policies with respect to risk identification, assessment, and management, including cybersecurity risk exposures and the internal controls and procedures in place to manage such risks, as well as the steps that management takes to monitor and control such exposures. In addition, the Audit Committee and the Board consider risk-related matters on an ongoing basis in connection with deliberations regarding specific transactions and issues.
The Cybersecurity Incident Response Team (“CIRT”), which is led by the CTO, is responsible for the prevention, detection, mitigation, and remediation of cybersecurity incidents and conducts primary incident response efforts. Our CTO, who is responsible for assessing and managing the Company’s cybersecurity risks, has over 30 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at Raycom Media prior to the Raycom Merger. Other team members of the CIRT also have relevant educational and industry experience, including holding similar positions at large companies. Incidents can be escalated up to our executive leadership team, depending on the severity of the incidents. Our President and/or CTO regularly report to our Board, and our CISO and General Counsel regularly report to our Audit Committee about our cybersecurity health and initiatives. In addition, the Board receives quarterly reports on risk management activities across Gray operations, including with respect to cybersecurity.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Management is responsible for the Company’s day-to-day risk management and the Board serves in an oversight role. The Board has empowered the Audit Committee with formal oversight of enterprise risk matters, including with respect to cybersecurity. The Audit Committee and management periodically review the Company’s policies with respect to risk identification, assessment, and management, including cybersecurity risk exposures and the internal controls and procedures in place to manage such risks, as well as the steps that management takes to monitor and control such exposures. In addition, the Audit Committee and the Board consider risk-related matters on an ongoing basis in connection with deliberations regarding specific transactions and issues.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Cybersecurity Incident Response Team (“CIRT”), which is led by the CTO, is responsible for the prevention, detection, mitigation, and remediation of cybersecurity incidents and conducts primary incident response efforts. Our CTO, who is responsible for assessing and managing the Company’s cybersecurity risks, has over 30 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at Raycom Media prior to the Raycom Merger. Other team members of the CIRT also have relevant educational and industry experience, including holding similar positions at large companies. Incidents can be escalated up to our executive leadership team, depending on the severity of the incidents. Our President and/or CTO regularly report to our Board, and our CISO and General Counsel regularly report to our Audit Committee about our cybersecurity health and initiatives. In addition, the Board receives quarterly reports on risk management activities across Gray operations, including with respect to cybersecurity.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef