ADTRAN Holdings, Inc. - (ADTN)

10-K Filing Date: March 15, 2024
ITEM 1C. CYBERSECURITY

We recognize the importance of establishing governance and oversight over cybersecurity risks, and we have implemented mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks.

The landscape of cyber threats is constantly evolving, making it increasingly challenging to effectively defend against them or implement sufficient preventative measures. We have observed a rise in the volume, frequency, and sophistication of cyber-attacks. To date, no risks from cybersecurity threats or previous cybersecurity incidents have materially affected our business strategy, results of operations, or financial condition. However, there can be no assurance that our controls and procedures in place to monitor and mitigate the risks of cyber threats, including the remediation of critical information security and software vulnerabilities, will be sufficient and/or timely and that we will not suffer material losses or consequences in the future. Additionally, while we have in place insurance coverage designed to address certain aspects of cyber risks, such insurance coverage may be insufficient to cover all insured losses or all types of claims that may arise. For more information regarding the cybersecurity risks that we face, see “Risks Related to Our Control Environment – Breaches of our information systems and cyberattacks could compromise our intellectual property and cause significant damage to our business and reputation” included as part of our risk factor disclosures in Part I, Item 1A of this report.

We have adopted and continue to maintain a cybersecurity risk management program that implements various controls, technology, and procedures for the evaluation, identification, and handling of significant cybersecurity risks that could impact the confidentiality, integrity, or availability of our information systems.

Our practices include, among others, providing ongoing security awareness training for our global workforce, conducting ransomware and phishing simulations, deploying tools for the detection and analysis of anomalous network activities, and implementing containment and incident response procedures. We are committed to staying abreast of the latest industry standards, and we actively participate in industry forums to exchange insights and stay ahead of emerging cybersecurity threats.

A critical component of our cybersecurity strategy is the integration of a third-party Security Operations Center support, which monitors our global network environment on a 24/7/365 basis, and is designed to rapidly identify and respond to threats. This program monitors both internally detected and externally reported vulnerabilities that could impact our products, which are then evaluated for their cybersecurity implications according to Company protocols. We also utilize third-party service providers as part of our cybersecurity risk management program and maintain a framework for managing cybersecurity risks presented by our third-party Service Providers. This framework governs the third party’s security management system and mandates that the program (i) adhere to certain information handling and asset management protocols and (ii) promptly notify us of any cybersecurity incidents that impact its systems.

Our enterprise risk management ("ERM") framework is designed to systematically integrate the assessment, identification, and handling of cybersecurity-related risks into our broader risk management strategy. This process involves an annual evaluation of the spectrum of risks facing the enterprise, including those related to cybersecurity. When elevated cybersecurity risks are detected, designated risk owners are tasked with formulating and overseeing the execution of targeted mitigation strategies.

This risk management approach informs decision-making processes related to the company's strategic priorities, the allocation of resources, and the establishment of oversight mechanisms. The governance of this program resides with our Board of Directors, which bears the ultimate responsibility for the oversight of cybersecurity risks. Supporting the Board, the Audit Committee plays a pivotal role by engaging in regular reviews of our cybersecurity efforts in collaboration with management and providing periodic updates to the Board. These assessments are conducted at least quarterly, with additional sessions convened as needed to address emerging issues or refine strategies.

Our Chief Information Officer ("CIO")/Chief Information Security Officer ("CISO") leads our cybersecurity program and reports to our Chief Executive Officer. The CIO/CISO stays informed of prevention, detection, mitigation, and remediation efforts through regular communication with professionals on our cybersecurity team, many of whom hold certifications such as Security+, Certified Information Systems Security Professional or Certified Information Security Manager. The CIO/CISO also utilizes technological tools, software, and third-party audits to monitor our cybersecurity efforts. Our CIO/CISO joined the Company in November 2018 and brings a wealth of experience from leading cybersecurity initiatives in previous roles. Our Chief Technology Officer ("CTO") joined the company in January 2023 following the Business Combination and previously served as Adtran Networks' CTO, leading their product management and advanced technology teams. Our CTO helps oversee our product security programs. Both the CIO/CISO and CTO have extensive experience in assessing and managing cybersecurity programs and risks. Our CIO/CISO reports to the Audit Committee and the Board of Directors on our cybersecurity program and efforts. Additionally, we have an escalation process in place to inform senior management and the Board of Directors of any material issues.

 

45