WideOpenWest, Inc. 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

WideOpenWest, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 07:05:42 EDT.

Filings

10-K filed on 2024-03-13

WideOpenWest, Inc. filed an 10-K at 2024-03-13 07:05:42 EDT
Accession Number: 0001558370-24-003047

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyberse curity We believe cybersecurity is a critical component of our overall approach to developing, implementing, and maintaining a security environment that safeguards our information systems and protects the confidentiality and integrity of our data. We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. Cybersecurity Risk Management and Strategy The Company integrates cybersecurity into its overall approach to Enterprise Risk Management through a continuous evaluation of our environment for risks that could impact our overall posture. The Company s policies and procedures to address cybersecurity risks and threats are developed in conjunction with industry standards, best practices, and regulatory requirements. We ensure all employees and contractors are aware of cybersecurity risks through regular communication and required annual trainings. We have an enterprise-wide information security program designed to identify, protect, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and next-gen detection platforms, security automation orchestration and response, and protection platforms designed to stop initial malicious activity. We also maintain a third-party security program to identify, prioritize, assess, mitigate and remediate third party risks however, we have a shared responsibility model with these third parties and require them to implement security programs commensurate with their risk. We cannot ensure that in all circumstances their efforts will be successful. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program and leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, red team exercises, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We also engage a third-party vendor to conduct an annual payment card industry data security certification of our security controls protecting payment information, as well as third-party penetration testing of our cardholder environment and related systems. The results of these assessments are reported to the Audit Committee. Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our customers) and other data, confidential information or intellectual property. However, to date these incidents have not had a material impact on our service, systems or business. Any significant disruption to our service or access to our systems could result in a loss of customers and adversely affect our business and results of operations. Further, a penetration of our systems or a third-party s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputational risk, which could have a negative effect on our business, financial condition and results of operations. To manage risks posed by third party vendors, the Company requires mutual non-disclosure agreements and master service agreements which include minimum requirements related to cybersecurity, data security, and breach of reporting. Potential threats posed by third party vendors are assessed according to potential level of impact and risk to our overall cybersecurity. Additionally, we obtain SOC-1 Type II and SOC-2 reports from vendors with a financial reporting impact. 30 Table of Contents Cybersecurity Governance The Senior Director of Information Security and IT Compliance and the Senior Vice President of Information Technology report to our Chief Technology Officer, who is responsible for overseeing the information security program. The Senior Director of Information Security and IT Compliance is a Certified Information Systems Security Professional with over 20 years of experience in cybersecurity, including continuous cybersecurity threat and risk monitoring. Team members who support our information security program have relevant educational and industry experience these include but are not limited to: offensive security, advanced incident response, and advanced detection development. The teams provide regular reports to senior management and other relevant teams on various cybersecurity threats, assessments, and findings. The Board oversees our annual enterprise risk assessment, which is completed with the assistance of third party consultants, where we assess key risks within the company, including security and technology risks and cybersecurity threats. Members of the Audit Committee receive updates on a quarterly basis from management, including from the Chief Technology Officer, regarding matters of cybersecurity. These updates include existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Any cybersecurity incidents are immediately reported to the Core Incident Response Team ( Core IRT ) which includes key members of management from across the organization. The Core IRT will communicate the incident and potential risks to the Chief Executive Officer. The Core IRT and CEO will determine if the incident should be communicated to the Board of Directors. Any incident that is reported to the Board of Directors includes continuous follow-up as well as detailed documentation provided to the Audit Committee. To date, the Company has not experienced a material cybersecurity incident.

Company Information