QWEST CORP 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

QWEST CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:11:33 EST.

Filings

10-K filed on 2024-02-22

QWEST CORP filed an 10-K at 2024-02-22 16:11:33 EST
Accession Number: 0000068622-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy As a technology and communications company that globally transmits large amounts of information over our networks, we recognize the critical importance of maintaining the security and integrity of information and systems under our control. We view cybersecurity risk as one of our principal enterprise-wide risks, subject to control and monitoring at various levels of management throughout the Company. We dedicate significant resources towards programs designed to identify, assess, manage, mitigate and respond to cybersecurity threats. As described in Item 1A Risk Factors, several features of our operations heighten our susceptibility to cyber-attacks, including (i) our material reliance on our owned and leased networks to conduct our operations, (ii) our transmission of large amounts of data over our systems and (iii) our processing and storage of sensitive customer data. Cyber-attacks on our systems may stem from a variety of sources, including fraud, malice or sabotage on the part of foreign nations, third parties, vendors, or employees and attempts by outside parties to gain access to sensitive data that is stored in or transmitted across our network. Cyber-attacks can take many forms, including computer hackings, computer viruses, ransomware, worms or other destructive or disruptive software, denial of service attacks, or other malicious activities. To identify, assess and mitigate cybersecurity risk, we have implemented a global information security management program that includes administrative, technical, and physical safeguards. We leverage a defense-in-depth model to identify, detect, protect and respond to threats to our information systems. Our security operations center provides advanced threat detection and response capabilities. Lumen maintains an insider threat program to detect, investigate and mitigate insider threat risks to Lumen assets, data, services and personnel globally. Our privacy and cybersecurity policies encompass information security, incident response procedures, and vendor management. Our risk management team works closely with our Information Technology, Privacy, Product, and Operations departments to continuously evaluate emerging cyber risk. We monitor existing or proposed privacy and cybersecurity laws, regulations and guidance that are or may be applicable to us in the regions where we operate, including in the European Union and the United Kingdom where we are subject to GDPR, as well as various other laws governing privacy rights, data protection and cybersecurity in other regions. As a U.S. government contractor we are required to comply with extensive governmental regulations and standards regarding cyber security. Lumen periodically engage both internal and external auditors and consultants to assess and enhance our program. These independent external auditors and consultants are accredited under various information security standards, including those administered by the International Organization for Standardization and the PCI Security Council. These engagements typically include penetration testing, third-party certifications, compliance assessments, audits, and assessments of vulnerabilities and emerging threats. We also periodically deploy our Internal Audit processes to conduct additional reviews and assessments. We also share and receive threat intelligence with government agencies, cyber analysis centers and cybersecurity associations. 29 As noted elsewhere in this annual report, we are materially reliant on a variety of third-party service providers to operate our business, which exposes us to the risk of cyber incidents impacting those providers systems. We have a vendor risk management program that assesses, manages and oversees risks associated with third-party service providers who have access to our data and systems. We maintain ongoing monitoring to ensure their compliance with our cybersecurity standards. Despite our efforts to prevent security incidents, (i) some of these attacks have resulted in security incidents (although thus far we do not believe that any of these incidents has resulted in a material adverse effect on our operating results or financial condition) and (ii) future security incidents are likely (some of which could have a material adverse effect on our operating results or financial condition). See Item 1A Risk Factors for a further discussion of cybersecurity risks. Lumen maintains an Incident Response Playbook that provides a set of guidelines for our stakeholders to follow when handling any data incident. This Playbook describes how we assess incidents and how our security team shares information about such incidents with others at Lumen, including senior leadership and, if warranted, with some or all members of the Board of Directors. These escalation provisions, together with Lumen’s Disclosure Controls and Procedures, are designed to ensure that appropriate representatives throughout the Company are available to assess how to respond to such incidents and make any necessary public notifications. The Incident Response Team ( CIRT ) is notified of all cybersecurity incidents, and is responsible for detecting and coordinating responses to security incidents. This team regularly assesses its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss response options. The CIRT also addresses each incident, unless it determines that an incident is sufficiently serious. In those instances, it will notify the Cyber Security Watch Team, which is responsible for addressing cybersecurity incidents that raise more significant risks. The Cyber Security Watch Team ( CSWAT ) is comprised of senior IT, operations, risk, legal and compliance leaders across business segments. In addition to addressing our more significant cyber incidents, CSWAT manages risks from matters related to business continuity, including risks posed by cybersecurity threats, and implements controls to mitigate such operational risks. Among other processes, this team reviews our programs and processes related to information security, third party risk, vendor management, facilities, unplanned downtime, business disruption, business continuity and disaster recovery. Governance As part of our overall risk management approach, Lumen prioritizes the identification and management of cybersecurity risk at several levels, including Board oversight, executive commitment and employee training. Lumen’s Risk and Security Committee, comprised of independent directors from its Board, assists the Board in overseeing our cybersecurity and data privacy risk. Specifically, our Risk and Security Committee, which meets quarterly, (i) receives periodic reports from Lumen’s Chief Security Officer ( CSO ) on security programs, including incident reports, (ii) reviews risk assessments from information security, privacy, and internal audit management teams with respect to cybersecurity, including the adequacy and effectiveness of the Company s internal controls regarding cybersecurity; (iii) reviews emerging cybersecurity developments and threats; (iv) reviews compliance with applicable laws and industry standards; and (v) periodically reviews our strategy to mitigate cybersecurity risks, such as our cyber insurance coverage and contingency plans in the event of security incidents or other system disruptions. At least quarterly, the Risk and Security Committee provides reports to the full Board regarding matters recently discussed by the Committee, which enables the full Board to provide additional oversight of our cyber risks and cyber processes. The full Board also reviews our cybersecurity risks in connection with its annual review of our enterprise risk mitigation programs. Lumen’s CSO has worked in the public and private sectors in information security since 1997 and has been a chief security officer since 2017. His technical and process certifications include CISSP, ITIL Foundation, Six Sigma Certified, CISCO CCNP, and CCNA, and he oversees the implementation and compliance of our information security standards and mitigation of information security related risks. Lumen also has management level committees and response teams who support our processes to assess and manage cybersecurity risk as follows: 30 The Risk Oversight Committee ( ROC ), whose core members include the CFO, Chief Technology Officer, Chief Product Officer, and General Counsel, is responsible for making risk management decisions to ensure consideration of all relevant factors and alignment with our overall risk mitigation strategy. The ROC also oversees key risk management activity to help ensure accountability, adequacy of resourcing, implementation of Company directives, and alignment of oversight provided by the Board and senior management. The Technology Security and Privacy Council, co-chaired by the CSO, Chief Information Officer, and Chief Privacy Officer, brings together IT, legal and internal audit personnel, and other function leads. The Security and Privacy Council provides a forum for these cross-functional members of management to consider emerging technologies, such as artificial intelligence and emerging cybersecurity risks; review cybersecurity and privacy regulations; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise. At the day-to-day operational level, Lumen maintains an experienced information security team who are tasked with implementing our privacy and cybersecurity program and support the CSO in implementing our detection, reporting, security and mitigation functions. This team and the CSO work to develop and implement tools and processes designed to assist in identifying, containing and remediating cybersecurity incidents, and periodically retain consultants to assist with these activities. Lumen also periodically holds employee trainings on our privacy, cybersecurity and information management policies, conduct phishing tests and generally seek to promote a company-wide awareness of cybersecurity risk through broad-based communications and educational initiatives.

Company Information