ARRAY DIGITAL INFRASTRUCTURE, INC. 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

ARRAY DIGITAL INFRASTRUCTURE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 07:54:11 EST.

Filings

10-K filed on 2026-02-20

ARRAY DIGITAL INFRASTRUCTURE, INC. filed a 10-K at 2026-02-20 07:54:11 EST
Accession Number: 0000821130-26-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Program Overview The Array cybersecurity program is based on a defense-in-depth approach aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Led by the TDS Chief Information Security Officer (CISO), the program is designed to identify, assess and mitigate cyber risks to Array's business, associates and stakeholders. Risks are identified across the threat and vulnerability landscape using commercial, government, vendor and publicly available information sources and tools. Identified risks are evaluated against a risk classification framework to direct remediation, mitigation and management efforts based on severity. Cybersecurity risks are integrated into the Array Enterprise Risk Management (ERM) program with updates provided on a quarterly basis. Array maintains a robust cybersecurity controls environment, underpinning Array's Sarbanes-Oxley (SOX) compliance efforts, to foster confidentiality, integrity and availability of data. Security control and maturity assessments leveraging the NIST Cybersecurity Framework are conducted regularly with results reported to the Audit Committee on an annual basis. Array also leverages internal and external auditors and consultants to perform independent assessments and tests of security controls. These assessment results are used to drive continuous improvement in the Array cybersecurity control environment. Third-party providers with access to Array data and systems are subject to a formal risk assessment process. This includes evidence-based reviews, such as SOC 2 Type 2 reports. Third-parties who access sensitive company or customer information are contractually obligated to meet specific privacy and security requirements. The Array security operations program provides advanced monitoring, threat detection and response to security events. This includes active monitoring of the internal environment as well as regular assessment of the environments of third-party service providers who manage sensitive data. Array has a robust security awareness program. All associates complete security awareness training during onboarding and annually, with additional targeted training and frequent phishing simulations conducted throughout the year. Regular cyber incident simulations are conducted at the technical, executive management and board levels to evaluate and improve preparedness for a cyber incident. Governance and Oversight Cyber risk management is led by the TDS CISO, who has over twenty-five years of experience at TDS across network engineering, information technology and cybersecurity, including over four years of board-level reporting on cybersecurity. The CISO has extensive cybersecurity experience in the telecommunications industry and stays current on new developments through continuing education and collaboration with private sector and government partners. The full Board of Directors engages in oversight of Array's cybersecurity risks. The Board of Directors receives regular updates from management on technology developments, cybersecurity threats and mitigation plans. The TDS CISO provides the full Board of Directors an annual update and discussion of the cybersecurity program. The Audit Committee oversees the processes over internal controls and financial reporting that includes controls and procedures regarding cybersecurity risk. The TDS CISO briefs the Audit Committee at least two times per year. Cybersecurity is also discussed with the Technology Advisory Group of the Board of Directors as warranted. Materiality and Disclosure Significant cybersecurity incidents are communicated directly to senior management and the Board of Directors. These incidents are reviewed by an internal committee, including the Chief Financial Officer and General Counsel, to assess their materiality in accordance with SEC requirements. To date, Array has not identified nor become aware of any cybersecurity incidents that individually or in aggregate have materially affected or are reasonably likely to materially affect Array, including its business strategy, results of operations, or financial condition.

Company Information