Lumen Technologies, Inc. 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

Lumen Technologies, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 16:18:31 EST.

Filings

10-K filed on 2026-02-20

Lumen Technologies, Inc. filed a 10-K at 2026-02-20 16:18:31 EST
Accession Number: 0000018926-26-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy As a technology and communications company that globally transmits large amounts of information over our networks, we recognize the critical importance of maintaining the confidentiality, integrity and availability of information and systems under our control. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise program to other key risk areas. We dedicate significant resources towards programs designed to identify, assess, manage, mitigate and respond to cybersecurity threats. To identify, assess and mitigate cybersecurity risk, we have implemented a global information security management program that includes administrative, technical, and physical safeguards. This program seeks to identify, detect, protect against, and respond to threats to our information systems. Our security operations center provides advanced threat detection and response capabilities. We maintain an insider threat program to detect, investigate and mitigate insider threat risks to Lumen assets, data, services and personnel globally. Our cybersecurity and privacy policies encompass information security, incident response procedures, and vendor management. Our risk management team works closely with our information technology, privacy, product, and operations departments to continuously evaluate emerging cyber risk as part of our overall risk management program. We monitor existing or proposed cybersecurity and privacy laws, regulations and guidance that are or may be applicable to us in the regions where we operate, including in the European Union and the United Kingdom where we are subject to the GDPR, as well as various other laws governing privacy rights, data protection and cybersecurity in other regions. As a U.S. government contractor, we are required to comply with extensive governmental regulations and standards regarding cyber security. We periodically engage both internal and external auditors and consultants to assess and enhance our program and to assist in responding to cybersecurity incidents. Many of these independent external auditors and consultants are accredited under various information security standards, including those administered by the International Organization for Standardization and the PCI Security Standards Council. These engagements typically include penetration testing, third-party certifications, compliance assessments, audits, and assessments of vulnerabilities and emerging threats, as well as digital forensics and related work. We also periodically deploy our Internal Audit processes to conduct additional reviews and assessments. We also mutually exchange threat intelligence with government agencies, cyber analysis centers and cybersecurity associations. As noted elsewhere in this annual report, we are materially reliant on a variety of third-party service providers to operate our business, which exposes us to the risk of cyber incidents impacting those providers' systems. We have a vendor risk management program that assesses, manages and oversees risks associated with third-party service providers who have access to our data and systems. We engage in diligence, contracting or maintain ongoing monitoring for compliance with our cybersecurity standards, depending on our assessment of each provider's operational criticality and risk profile. Despite our efforts to manage cybersecurity risks and prevent security incidents, (i) some of these attacks have resulted in security incidents (although thus far we do not believe that any of these incidents has resulted in or is reasonably likely to result in a material adverse effect on our business strategy, operating results, or financial condition) and (ii) future security incidents are likely (some of which could have a material adverse effect on our operating results or financial condition). See "Risk Factors" in Item 1A for a further discussion of cybersecurity risks and how they have affected or may affect us. 35 Table o f Contents We maintain an Incident Response Playbook that provides a set of guidelines for our stakeholders to follow when handling any data incident. This playbook describes how we assess incidents and how our security team shares information about such incidents with others at Lumen, including senior leadership and, if warranted, with some or all members of our Board of Directors. These escalation provisions, together with our disclosure controls and procedures, are designed to facilitate appropriate representatives throughout the Company in their assessment of relevant incidents and any necessary public notifications. Our Cybersecurity Incident Response Team ("CIRT") is responsible for detecting and coordinating responses to appropriate security incidents. This team regularly assesses its internal communication plan and meet as a team to discuss response options. The CIRT also addresses each incident, unless it determines that an incident is sufficiently serious. In those instances, it notifies our Cyber Security Watch Team ("CSWAT"), which is responsible for addressing cybersecurity incidents that raise more significant risks. Our CSWAT comprises senior IT, operations, risk, legal and compliance leaders across business segments. In addition to addressing our more significant cyber incidents, the CSWAT manages risks from matters related to business continuity, including risks posed by cybersecurity threats, and implements controls to mitigate such operational risks. Among other processes, this team reviews our programs and processes related to information security, third-party risk, vendor management, facilities, unplanned downtime, business disruption, business continuity and disaster recovery. Governance As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, including oversight by our Board of Directors, executive commitment, and employee training. Our Risk and Security Committee , comprising independent directors from our Board, assists the Board in overseeing our cybersecurity and data privacy risk. Specifically, our Risk and Security Committee, which meets quarterly, (i) receives periodic reports from our Chief Security Officer ("CSO") on security programs, including incident reports, (ii) reviews cybersecurity risk assessments from information security, privacy, and internal audit management teams, including the adequacy and effectiveness of the Company's internal controls regarding cybersecurity; (iii) reviews emerging cybersecurity developments and threats; (iv) reviews compliance with applicable laws and industry standards; and (v) periodically reviews our strategy to mitigate cybersecurity risks, such as our cyber insurance coverage and contingency plans in the event of security incidents or other system disruptions. At least quarterly, our Risk and Security Committee provides reports to the full Board of Directors regarding matters recently discussed by the Committee, which enables the full Board to provide additional oversight of our cyber risks and cyber processes. The full Board also reviews our cybersecurity risks in connection with its annual review of our enterprise risk mitigation programs. Our CSO has extensive experience working in the public and private sectors leading security organizations, managing risk functions, and driving large information technology deployments. He has an Engineering degree, a Master of Business Administration, a Chief Information Security Officer Certification, and a Global Information Assurance Certification Security Leadership Certification. He oversees the implementation and compliance of our information security standards and is primarily responsible for managing our processes to assess and mitigate information security related risks. Our cybersecurity organization includes a response team and management-level committees who support our processes to assess and manage cybersecurity risk as follows: - At the day-to-day operational level, we maintain an experienced information security team who are tasked with implementing our privacy and cybersecurity program and support the CSO in implementing our detection, reporting, security and mitigation functions. This team and the CSO work to develop and implement tools and processes designed to assist in identifying, containing and remediating cybersecurity incidents, and periodically retain consultants to assist with these activities. We generally seek to promote a company-wide awareness of cybersecurity risk through broad-based communications and educational initiatives, including regularly conducting phishing tests and holding employee trainings on our privacy, cybersecurity and information management policies, at least annually and more frequently when legal or other developments warrant. 36 Table o f Contents - The Technology, Security, and Privacy Council, co-chaired by the CSO, the Chief Information Officer (CIO), and the Chief Privacy Officer (CPO), leverages the combined expertise of various security, IT, legal, internal audit, and operational leaders across the company. This council provides a forum for these cross-functional members of management of our leadership team to consider emerging technologies, such as artificial intelligence and emerging cybersecurity risks; review cybersecurity and privacy regulations; review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise. Members of this council are responsible for reporting on cybersecurity and privacy risks to the Risk Oversight Committee ("ROC"). - The ROC, whose core members include our Chief Financial Officer, Chief Technology and Product Officer, Executive Vice President of Enterprise Operations, and Chief Legal Officer, oversees our company-wide risk mitigation strategies. With respect to cyber risks, the ROC's oversight function helps to ensure accountability, adequacy of resourcing, implementation of Company directives, and alignment of oversight provided by our Board of Directors and our senior leadership team. Some of the more significant risks discussed by the ROC are also reported to our Risk and Security Committee at least quarterly. 37 Table o f Contents

Company Information