CommScope Holding Company, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

CommScope Holding Company, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 20:27:04 EST.

Filings

10-K filed on 2024-02-28

CommScope Holding Company, Inc. filed an 10-K at 2024-02-28 20:27:04 EST
Accession Number: 0000950170-24-022519

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Like many large, global companies, CommScope relies heavily on digital technology to conduct operations and engage with our customers and business partners. As our engagements become more complex and interdependent, threats from security incidents like ransomware and data breaches increase. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management and make securing our data and the data customers and other stakeholders entrust to us a top priority. Our Board of Directors (Board), through our Audit Committee, and our management team are actively involved in the oversight of our Enterprise Risk Management (ERM) program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying and managing material risks from cybersecurity threats. We have made investments in resources to implement and maintain security measures to meet regulatory requirements and stakeholder expectations, and we intend to continue to make investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. We believe that risks from prior cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that any such incidents will not materially affect us, including our business strategy, results of operations or financial condition. For additional information regarding the risks associated with cybersecurity incidents, see Item 1A. Risk Factors. CommScope s commitment to cybersecurity begins in the boardroom. The Audit Committee is responsible for oversight of cybersecurity and is actively engaged with our Chief Information Officer (CIO) and Chief Information Security Officer (CISO) at least quarterly, in addition to ad-hoc discussions and our periodic cyber crisis management tabletop exercises. Our CIO and CISO also present on cybersecurity to our full Board at least annually. The commitment extends through our executive leadership team (ELT), who engage continually to review our cybersecurity strategy, planning and execution. At CommScope, cybersecurity risk is part of our cross-functional Enterprise Risk Management (ERM) program because of the potential for negative impacts of an incident across our business. At least annually we conduct a cybersecurity risk assessment, bringing together threat intelligence, internal assessment of our control posture and third-party opinions. The risk assessment informs our Board and management team and drives the next year s security strategy and initiatives. CommScope has implemented a cybersecurity program that is dedicated to protecting our business processes, technology assets and sensitive information entrusted to us by our customers, suppliers, employees and other stakeholders. Drawing on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and Center for Internet Security (CIS) 18 Critical Security Controls, our security program seeks to identify high-value enterprise assets and business processes and manage the cybersecurity threats facing them with layered controls. We practice a Defense in Depth methodology, meaning that valuable assets or business processes are generally protected with more than one layered control. Our cybersecurity program is led by our CIO and our CISO. Our CIO has served in various roles in information technology and information security for over twenty years. Our CISO has over twenty years of technology and security experience and has spent more than fifteen years leading cybersecurity functions. He is also a Certified Information Systems Security Professional (CISSP). 38 Our CISO leads an in-house information security team responsible for cybersecurity risk and threat evaluation; the writing of relevant policies, control standards, and technical requirements; and the oversight and operation of security controls. The Security Operations team monitors for potential incidents via a global team operating 24 x 7 x 365 in a follow the sun model. We also engage outside experts where a third-party opinion or subject matter expertise provides specific value, such as with penetration testing. We use industry-leading security tools, regularly update our technology roadmaps, conduct tabletop exercises and mandate cybersecurity awareness and training for all employees. We not only focus on cybersecurity threats directly facing CommScope but also those that might affect us through one of the many third parties we do business with, including suppliers and customers. Our procurement and security teams have a shared process to review the cybersecurity risk of our suppliers, performing an assessment during onboarding, requiring them to sign up for contractual security requirements, emplacing security controls and investigating third-party incidents as appropriate. In the event of a significant cybersecurity incident, we have a detailed Cybersecurity Incident Response Plan (CIRP) in place for informing key stakeholders, ensuring events are properly escalated and for contacting authorities. There are many ways that CommScope might initially learn of a cybersecurity incident, and these potential incidents are escalated, according to decision criteria, to a core team of internal stakeholders comprised of leaders from our information security, legal, business and finance organizations. The core team directs the initial fact-finding and response efforts, and based on their qualitative and quantitative review, may escalate the incident to CommScope s ELT. The ELT then makes the decision on escalation to the Audit Committee or Board based on the team s assessment of materiality. Our incident response plan is regularly validated and assessed to consider the types of decisions that would need to be made in the event of a cybersecurity incident. 39

Company Information