SBA COMMUNICATIONS CORP 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

SBA COMMUNICATIONS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 17:26:56 EST.

Filings

10-K filed on 2024-02-28

SBA COMMUNICATIONS CORP filed an 10-K at 2024-02-28 17:26:56 EST
Accession Number: 0001034054-24-000002

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management & Strategy A cybersecurity threat is any potential unauthorized occurrence, on or conducted through, our information systems that may result in adverse effects on the confidentiality, integrity or availability of our information systems or any information residing therein. We have a comprehensive, cross-functional approach to cybersecurity risk management, driven by our information security management systems and propelled by industry-leading expertise from both our internal information technology security team and top-tier third-party consultants and firms that we engage. Our cyber risk management process is supported by both management and our Board of Directors. Our cybersecurity risk management strategies represent an integral component of our overall approach to enterprise risk management ( ERM ). Our cybersecurity policies, standards, processes, and practices are fully integrated into our ERM program and based on the recognized National Institute of Standards and Technology (NIST) Cybersecurity Framework. We continuously seek to adopt market-leading standards and procedures to protect our tower infrastructure, data, and carrier and consumer information. Key elements of our cybersecurity risk management strategy include: (1) System Monitoring and Testing . We work collaboratively with third-party industry experts and consultants to conduct regular vulnerability assessments and penetration testing from both outside and within our system networks. Our information security team utilizes endpoint software together with technology platforms and applications designed to enable it to monitor user and network behavior and origination points in real time both at our corporate headquarters as well as any of our sites globally. In addition, we conduct quarterly phishing campaign simulations which include notification of the respective Executive Vice President in the event of a failure by an employee in their department. (2) Threat Identification & Response . Our internal information security team works collaboratively with our external industry consultants to identify threats utilizing analytics and metrics, which are aligned with the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework, and mitigate attacks across various layers of our enterprise systems. We 22 Table of Contents leverage the core functions of the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, and Recover) to constantly work toward identifying opportunities for further improvement and development of our risk mitigation strategies. We also build upon the principles of the ISO 27001 standard and have achieved ISO 27001:2013 certification for one of our data centers. As part of our response preparedness, our executive management team participates in comprehensive tabletop exercises annually simulating cybersecurity breaches or other incidents which simulate identifying, responding and reporting of such an incident in accordance with our risk management programs. (3) Defense Procedures & Preparedness . We have established and maintain a data incident response and a business continuity management plan to timely, consistently, and appropriately address cyber threats that may occur despite our safeguards. The response plan is global in scope and covers the major phases of the incident response process, including preparation, detection and analysis, containment and investigation, notification (which may include timely notice to our Board if deemed material or appropriate), eradication and recovery, and incident closure and post-incident analysis. Our response plan is reviewed annually, regularly tested, and updated based on developments in the industry. Our business continuity management system includes targets and objectives, impact analyses and risk assessments, exercise and testing, training and awareness, documentation and standards for data centers and servers. (4) Outside Consultants & Industry Experts . In addition to the broad capabilities of our internal information security team, we also engage various outside consultants, including contractors, security firms, auditors, and other third-party subject matter experts, to among other things, conduct regular testing of our networks and systems to identify vulnerabilities through penetration testing, while also measuring and advising on potential improvements to our cybersecurity programs. We are also members of recognized global industry organizations such as the Information Systems Audit and Control Association (ISACA), International Information System Security Certification Consortium (ISC), and International Association of Privacy Professionals (IAPP). (5) Third-Party Risk Assessments . We maintain a comprehensive risk-based approach to identifying and overseeing potential cybersecurity risks presented by third parties, including our vendors and service providers. We have a dedicated information technology vendor management team that reports to our Chief Information Officer ( CIO ). We conduct initial and regular cybersecurity assessments of third-party vendors that we engage with in our operations and their information security policies and systems in order to identify, evaluate, and address potential vulnerabilities. (6) Team Member Education & Awareness . We remain dedicated to fostering an internal culture of cybersecurity, where all of our team members are trained to identify, respond, and report potential cybersecurity threats that may arise. New hires are required to participate in cybersecurity onboarding training, and current employees are responsible for completing mandatory cybersecurity training annually and phishing awareness training quarterly. Our leadership team participates in advanced, targeted cybersecurity training and exercises to ensure additional security. As part of our cybersecurity risk management strategy, each cyber threat is evaluated for materiality and escalated based upon evaluation of the potential severity and risk impact on our operations. We have not experienced a material cybersecurity breach in the past three years. As such, we have not incurred any material expenses from cybersecurity breaches or any expenses from penalties or settlements related to a cybersecurity breach during that time. For more information regarding cybersecurity-related risks that could materially affect our business strategies, results of operations, or financial condition, please see Item 1A in this Form 10-K under the headings Security breaches and other disruptions could compromise our information, which would cause our business and reputation to suffer . Governance & Personnel Our Board believes a robust cybersecurity strategy is vital to protect our business, customers, and assets. The Board has delegated to the Audit Committee responsibility for oversight and review of our cybersecurity and other information technology and data privacy risk management program, controls, strategies, and procedures. The Audit Committee periodically evaluates our cybersecurity strategies to ensure effectiveness and, if appropriate, includes a review from third-party experts. In addition, our Board also may review and assess cybersecurity risks as part of its responsibilities for general risk oversight. Our CIO reports to the Audit Committee at every regularly scheduled meeting (or more frequently, as needed) to discuss cybersecurity risk exposure and risk management strategy. Our CIO has over 25 years of experience in the information technology and security industry with global organizations. Our executive leadership team, which includes our CIO, reviews and manages implementation of our cybersecurity strategy and programs through regularly scheduled meetings. Our information security team, led by our CIO and Senior Director, IT Security and Compliance, has over 75 years of collective cybersecurity experience and maintain numerous active industry-recognized cyber certifications, such as Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and Certified Information Systems Auditor (CISA). Our information security team undertakes a variety of measures in the daily monitoring and management of cybersecurity risks across our business. For example, the information security team monitors our technology infrastructure with tools 23 Table of Contents designed to detect suspicious behavior and decrypt VPN traffic on our systems globally. The information security team conducts regular internal and external audits with third-party cybersecurity experts to identify and evaluate potential weaknesses in its cybersecurity systems. Some of these third-party monitoring functions continue throughout the year while other third-party security experts are periodically retained to audit specific areas of our cybersecurity program. In addition, our information security team works with our internal audit function to monitor reporting and escalation of cybersecurity incident reports from across our business .

Company Information