CINCINNATI BELL INC 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

CINCINNATI BELL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 13:22:02 EDT.

Filings

10-K filed on 2024-03-25

CINCINNATI BELL INC filed an 10-K at 2024-03-25 13:22:02 EDT
Accession Number: 0000950170-24-035762

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Security Program Overview The Company’s cybersecurity program is framework-based, and risk and metrics-focused. The program uses and is measured against National Institute of Standards and Technology Standards (“NIST”) 800-53(r5) and supporting standards. The Company utilizes a risk-based security program that strives for an effective balance of controls and processes across the Identify, Protect, Detect, Respond and Recover areas of the framework. As a service provider and technology partner, we have on-going initiatives that address the areas below to achieve a comprehensive security program. Security Governance The Company’s Board of Directors has designated a subcommittee of the Board that meets quarterly to provide oversight of risks from cybersecurity threats. The Company s Vice President and Chief Security Officer (“CSO”) reports to this subcommittee to inform them on the Company s threat and risk landscape, and the management of cybersecurity incidents. This subcommittee consists of board members and the Company s executive leadership team. The CSO also leads a cross-functional, executive-level Security Council that meets quarterly and governs all aspects of the Company s security program. The Company maintains a risk-based security program that is supported by a comprehensive set of policies, procedures, and standards based on the NIST cybersecurity framework, which includes administrative, physical, and technical safeguards. The CSO joined altafiber in 2023 with over 20 years of cybersecurity experience in highly regulated industries and the government in identifying, managing, and mitigating cybersecurity risk. Previously, the CSO held an officer role at a large Fortune 500 financial services firm developing cybersecurity strategy and leading teams focused on risk management, security architecture and engineering, incident response, and threat intelligence. The CSO also serves on multiple advisory boards related to cybersecurity and is the current board chair for Miami University s Center for Cybersecurity. Risk Management The Company established an Enterprise Risk Management (ERM) Committee that employs the International Organization for Standardization (ISO) risk management standards. Members of the ERM Committee include the Company’s CSO, Chief Financial Officer, Chief Network Officer, Director of Safety and Risk Management and the Director of Internal Audit. The committee leverages a proprietary internal risk management tool to maintain a risk register, which systematically identifies, assesses, prioritizes, and manages risks within the enterprise. This structured approach enables us to conduct a formal, periodic risk assessment, ensuring the continuous enhancement of our security posture. In addition to threats, vulnerabilities, impacts and costs, the risk assessment process also identifies the costs and effectiveness of countermeasures and action plans to reduce risk. Security Awareness and Training The Company established a security awareness program that focuses on individual employees’ impact to the overall security strength of the company. Via the use of web-based and in person training, surveys and published literature, the Company is constantly making the employees aware of the vital role they play in protecting both the Company and customers data. Phishing exercises are also periodically conducted to improve employee knowledge of and response to security threats. Specialized web-based training covering Payment Card Industry (“PCI”), Health Insurance Portability and Accountability Act (“HIPAA”) and Federal Tax Information is also required and tracked for employees who have access to that data. Identity and Access Management The Company requires authorization of all personnel, including contractors, before being granted access to facilities, systems, and data. The Company’s identity and access management systems are integrated with human resource applications and processes to facilitate provisioning and de-provisioning of badges and logical system access. Cybersecurity The Company employs a defense in depth approach to providing security around our networks, servers, and data. Most of our critical networks leverage redundant components and connections to ensure high levels of availability, reliability, and performance. The Company employs a security architecture that identifies rules for segmentation and access control based on risk and impact to the business. This includes infrastructure, applications, and data in the cloud. Endpoint and Device Protection & Anti-Malware The Company has hardening policies and processes and uses a gold image approach to deploying new clients and servers. Configurations that go into gold images are reviewed with security staff. Advanced anti-malware controls are in place and patching cadence and performance of endpoint devices are watched closely. 29 Table of Contents Form 10-K Part I Cincinnati Bell Inc. Protection of Customer and Other Sensitive Data The Company complies with regulations for Customer Proprietary Network Information protection (Title 47 section 222) and has taken measures over the past several years to limit or remove Personal Identifiable Information (“PII”) and other sensitive information from databases and internal systems. Access to sensitive information from third party partners is managed through secure virtual terminal environments, and movement of PII is monitored on premise and in key cloud applications. Application and Product Security The Company’s application security program is based on the Open Web Application Security Standard (“OWASP”) and critical systems have been benchmarked for compliance with our security polices and standards. Security work is jointly prioritized with security staff and product/application/development organizations and third parties with responsibility for application development and maintenance. Security checklists have also been developed and are used in new product development lifecycle processes. Third Party Risk Management Third parties with access to data or infrastructure must go through a vetting process to ensure they comply with reasonable and industry accepted security practices. The vetting process includes assessments, review of third-party attestation and inclusion of standard security language in contracts. Security staff work closely with legal, procurement/sourcing personnel and other stakeholders within the Company on third party compliance practices. Threat and Vulnerability Management Vulnerability scanning and attack and penetration testing, quarterly and annually, is conducted on perimeter networks and E-commerce platforms by third parties and qualified internal personnel. The testing covers network, host, application, and data security. The Company uses the Common Vulnerability Scoring System (“CVSS”) standard for vulnerability management. Various open source, third party and internally developed threat intelligence platforms are used to stay abreast of threats facing the Company and our industry. Security Assessments Various company environments are regularly audited by a third-party AICPA- and PCAOB-registered certified public accounting firm and has consistently obtained PCI DSS 3.2, SSAE18 SOC1, SOC2, CSAE34-16 SOC1 and SOC2 certifications and HIPAA compliance. The Company currently holds 20 such certifications. Change Management and ITSM The Company employs robust change, incident and problem management practices across core network, managed services, and information technology environments. Security team members are an active part of these processes. Emergency Management, Incident Response and Cyber Insurance The Company has invested in technology and processes for timely incident response to security and crisis events. Physical and cybersecurity staff, health and safety, legal, operational and human resources personnel are part of the overall emergency and incident response team. The Company has partnerships with third parties for forensics, and incident response consulting. The Company also maintains effective levels of cyber insurance against large data breaches or cybersecurity events. Service and Business Continuity The Company conducts service continuity exercises and monitors network fault and performance 24 hours a day, 365 days a year to quickly detect and respond to service degradation or impairment. A set of business continuity plans and scenarios are also in place to address catastrophic events to personnel, critical infrastructure, and applications. The Company conducts periodic internal tabletop exercises and joint exercises with customers. Business continuity efforts are overseen by the Company’s Business Continuity Committee following policy set by the Company’s Security Council. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see Risk Factors Intellectual Property Tax, Regulatory, and Litigation Risks in this annual report on Form 10-K. Website Access and Other Information The Company was incorporated under the laws of Ohio in 1983 with its headquarters at 221 East Fourth Street, Cincinnati, Ohio 45202 (telephone number (513) 397-9900 and website address http://www.altafiber.com). The Company has ceased to be subject to the reporting requirements of the Securities Exchange Act of 1934, as amended, but continues to voluntarily file annual, quarterly and certain other information with the SEC due to contractual provisions included in certain indentures. The SEC maintains an internet site that contains reports, proxy statements, and other information about issuers which file electronically with the SEC. The address of that site is http://www.sec.gov. 30 Table of Contents Form 10-K Part I Cincinnati Bell Inc.

Company Information