ATN International, Inc. - (ATNI)

10-K Filing Date: March 15, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

We have invested time and resources with a goal to define, implement and further develop the maturity of our cybersecurity risk management and strategy program. During this time, we have developed a common cybersecurity incident response plan across our businesses and jurisdictions that while unique to the risk profile of each business, allows us to utilize common response and decision-making protocols in an effort to react quickly to a potential cybersecurity threat and manage risk to our overall Company.

In developing our cybersecurity incident response plan and assessing the maturity of our cybersecurity threat program, we utilize the National Institute of Standards and Technology Cybersecurity Framework (NIST). We use NIST as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. We make it a practice to continually review the maturity of our program, utilizing the NIST standards and leveraging the feedback of both external advisors and third party threat intelligence tools in an effort to continuously improve our program in relation to evolving cybersecurity threats in our industry.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program overseen by our Risk Council, composed of professionals across a variety of departments and jurisdictions in our organization. Our cybersecurity program utilizes methodologies, reporting channels and governance processes across our subsidiaries that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas that are assessed and reviewed when onboarding new vendors, customers, product lines or shifts in our service delivery models.

Our cybersecurity risk management program includes:

risk assessments performed internally and with the help of third party vendors that are designed to help identify material cybersecurity risks to our critical systems, information, products, services, equipment, and our broader enterprise IT and customer-facing network environments;
a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, (3) our response to cybersecurity incidents, and (4) our assessment of new products and business processes;
the use of external service providers, where appropriate, to assess, test or otherwise assist with the analysis of our security controls and those of our key vendors;
cybersecurity awareness training of our employees, incident response personnel, and senior management; and
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents.

To date, we have not experienced any prior cybersecurity incidents that have materially affected our operations, business strategy, results of operations, or financial condition. For a discussion of risks that could in the future impact our operations, business strategy or financial condition, please see “Cybersecurity breaches could have an adverse effect on our business” in our Risk Factors.

Cybersecurity Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity in connection with its general risk assessment and oversight. The Audit Committee oversees management’s implementation of our cybersecurity risk management program.

The Committee receives frequent, and typically no less than quarterly reports from management on our cybersecurity risks, assessment of our cybersecurity program, and development of our information security incident response plan. In addition, management updates the Committee, pursuant to an agreed upon timetable and escalation

26

matrix regarding any material cybersecurity incidents, as well as providing the Committee with periodic reports on any incidents with lesser impact potential.

The Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from management from time to time on our cyber risk management program. Board members receive presentations and training on cybersecurity topics from our Chief Information Officer (CIO), Vice President of Architecture and Security, or external experts as part of the Board’s continuing education on topics that impact public companies. Our CIO is an experienced information technology professional with just under 30 years of experience in the networking and communications industries. His extensive experience extends to all facets of information technology, including enterprise applications, cloud and SaaS systems, network infrastructure, and network management. For the past decade, he has been at the forefront of cloud security through partnerships with leading identity and access management providers and other leading security technology providers. He is a certified Sarbanes-Oxley-trained professional. Our VP of Architecture and Security has over 30 years of experience in IT and Security and has the Certified Information System Security Professional (CISSP) certification as well as various technology vendor certifications.

As referenced above, our Risk Council is responsible for day-to-day cyber risk management, and reports to the Audit Committee on these matters. Our management team, including our General Counsel, who serves as the lead of our Risk Council, and our CIO are responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our internal security team is made up of experienced professionals that have an average of 27 years of IT and security experience, including certifications such as CISSP and CCSP from ISC2. We also have developed an internal training program to develop new talent within our organization and work with vendor and third-party training programs to mentor and educate these team members to expand and enhance the capabilities of our team.

Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity threats and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.