DISH DBS CORP 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

DISH DBS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:26:15 EDT.

Filings

10-K filed on 2024-04-01

DISH DBS CORP filed an 10-K at 2024-04-01 16:26:15 EDT
Accession Number: 0001558370-24-004539

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY We recognize the importance of assessing, identifying, reviewing and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational and legal risks including intellectual property theft or loss, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. Our framework is informed in part by the National Institute of Standards and Technology (NIST) Cybersecurity Framework, although this does not imply that we meet all technical standards, specifications or requirements under NIST. We have an enterprise-wide information security program designed to identify, protect against, detect, respond to, and recover from cybersecurity risks, threats and events. Our cyber risk management system contributes significantly to the overall resilience and integrity of our business by, among other things, integrating the risk identification process in all major company initiatives and deployment processes, implementing a unified approach to managing both digital and traditional business risks, making continuous improvements and regularly reporting to management and EchoStar s Board of Directors as a whole to ensure accountability. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We and certain third parties conduct regular reviews and tests of our information security program and also leverage, among other things, audits, tabletop exercises, penetration and vulnerability testing, red team exercises, simulations and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. In addition, we evaluate third-party risks and perform third-party risk management to assess, identify and mitigate risks from third parties such as vendors, suppliers and other business partners. We have experienced cyber-attacks or other malicious activities that disrupted our business in the past. Any future failure or disruption of our information technology infrastructure and communications systems or those of third parties that we use in our operations could harm our business in the future. On February 23, 2023, we experienced a network outage that affected its internal servers and IT telephony. We immediately activated our incident response and business continuity plans designed to contain, remediate and recover from the situation. We engaged the services of certain cyber-security experts and outside advisors to assist in the evaluation of the situation, and once we determined that the outage was due to a cybersecurity incident, we promptly notified appropriate law enforcement authorities. In addition, on February 28, 2023, we further disclosed that certain data had been extracted from the DISH Network IT systems. After investigation and discussions with certain third parties, we determined that our customer databases were not accessed, however, we confirmed that certain employee-related records as well as a limited number of other records containing certain personal information were among the data extracted. We took steps to protect the affected records, received confirmation that the extracted data was deleted and notified individuals whose data was extracted. 21 Table of Contents The DISH TV and SLING TV services remained operational at all times during the incident. As of March 31, 2023, all significant systems had been restored. We have no reason to believe that this cybersecurity incident has not been concluded. We describe whether and how risks from identified cybersecurity threats, including, but not limited to, as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K. The Chief Information Security Officer ( CISO ) leads our information security organization responsible for overseeing our information security program. The CISO has over 25 years of experience in various roles involving information security, including risk management and security leadership. Team members who support our information security program have relevant education, professional certifications and industry experience, including but not limited to, holding similar positions at large technology companies. The team provides regular reports, no less frequently than monthly, to senior management and other relevant teams, including, but not limited to, the Chief Executive Officer ( CEO ), Chief Operating Officer ( COO ), Chief Information Officer ( CIO ) and Chief Legal Officer ( CLO ). Preparation for and, where possible prevention of cybersecurity incidents involves regular and structured briefings to key management on risk remediation measures that should be taken to decrease, among other things, the likelihood and severability of incidents and to mitigate and manage their effects. The CEO, COO, CIO, CLO and other members of management receive detailed updates on cybersecurity risks on a regular basis, no less frequently than monthly, or when significant risks or incidents are identified. These briefings enable the management team to, among other things, stay informed of the latest threats, assess the effectiveness of current security measures and make timely decisions on strategic security initiatives. In addition, EchoStar s Board of Directors is regularly briefed, no less frequently than quarterly, on cybersecurity risks as part of its oversight functions and to ensure that cybersecurity practices align with the company s overall risk management framework and business objectives. In connection with the Integration, we anticipate that we will continue to evaluate and address as needed our cyber security risk management, policies, structure, strategies and governance to meet our needs.

Company Information