Uniti Group Inc. - (UNIT)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

The Company has established an information security program to assess, identify and manage material risks from cybersecurity threats, which is an integral part of the Company's overall enterprise risk management program. This program is established at the executive level, with regular reporting to, and oversight by, the Company’s Board as described below.
As part of the Company’s information security program, the Company maintains written policies and procedures, such as the Information Security Policy and Company’s Incident Response Plan, which identify how cybersecurity measures and controls are developed, implemented, and regularly reviewed and updated. The Company’s Information Security Policy
19

identifies security controls, appropriate use, and user responsibilities for the organization that are in place to identify and manage the risk of a cybersecurity incident.
The Company has implemented a set of controls to manage information risk, utilizing controls from multiple security frameworks, specifically ISO 27001, and the Payment Card Industry Data Security Standard (PCI-DSS). The Company also conducts various internal and external information risk assessments each year, which are based on nationally accepted standards, including annual compliance required assessments, such as PCI and SOX audits, as well as ad-hoc assessments driven by emerging risks, changes in the Company’s environment, or benchmark/roadmap needs. Risks identified in such assessments are considered for inclusion in the Company’s risk portfolio and are then prioritized and addressed as needed through the Company’s broader information security programs and policies. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others. Specific controls that are used to some extent include endpoint threat detection and response (EDR), identity and access management (IAM), privileged access management (PAM), logging and monitoring involving the use of security information and event management (SIEM), multi-factor authentication (MFA), firewalls and intrusion detection and prevention, encryption, and vulnerability and patch management.

Although the risks from cyber threats have not materially affected our business strategy, results of operations, or financial
condition to date, we continue to closely monitor cyber risk. To protect its information and cyber assets, the Company conducts appropriate cybersecurity exercises and training. For example, employees must complete cybersecurity training at least annually, which educates our employees on the Company’s policies and procedures for incident reporting, and avoiding common cybersecurity threats such as phishing attacks.

Additionally, the Company leverages third-party security firms in different capacities to implement or operate various aspects of the Company’s information security program, including to conduct risk assessments, vulnerability scans, and penetration testing based on nationally accepted standards. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services, such as requiring an independent assessment of the third party’s information security controls where appropriate. As part of the Company’s process to continuously improve its information security programs, the Company also engages third-party subject matter experts to assess and evaluate the effectiveness of various aspects of the Company’s information security program.

The Company (or the third parties on which it relies) may not be able to fully, continuously, and effectively implement security controls as intended. We utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks and events, when detected by security tools or third parties, may not always be immediately understood or acted upon.

Board Governance and Management

Cybersecurity risk is managed as an enterprise risk in the Company’s enterprise risk management process. At the highest level, the Company’s program includes multi-layered governance by management, the Audit Committee and the Board of Directors.

Ultimate responsibility for risk oversight and management generally lies with the Company’s Board. To effectively manage oversight of our cybersecurity risk management practices, the Board has delegated such responsibility to the Company’s Audit Committee. The Company’s Chief Information Officer (“CIO”) and the information security team provide reports to either the Audit Committee or the full Board on a quarterly basis on various matters, including current and emerging cybersecurity risks to the Company, internal and external assessments of the Company’s information security program, and a roadmap of projects to manage its information security posture. In the event of any significant cybersecurity incidents, the Company’s Incident Response Plan outlines the process to escalate communications to the Audit Committee and/or the full Board in the event of any significant cybersecurity incidents between the quarterly updates on an ad hoc basis.

At the executive and management level, the CIO has primary responsibility for the development, operation, and maintenance of the Company’s information security program. The CIO has 19 years of experience in technology risk management, 11 of which have been with the Company (or its affiliates), and has passed examinations and received certifications as a SANS Global Information Security Leader and a Certified Information Systems Auditor. In addition to the CIO, the Company’s information security team under the direction of the CIO, implements and provides governance and functional oversight for cybersecurity controls and services. Information security processes include escalation of certain risks and incidents to the CIO and the executive team, with monthly scorecard and quarterly dashboards also used to update the risk landscape.
20


Overall, the Company has implemented tactical processes for assessing, identifying, and managing material risks from cybersecurity threats to the company including governance at the Board level and accountability in our executive management for the execution of the Company’s cyber risk management strategy and the controls designed to protect its operations. In addition, we maintain cyber insurance that is designed to protect us against certain losses related to cyber risks, and we believe the amount and scope of this insurance are customary for similarly situated companies in the telecommunications industry. See ITEM 1A. RISK FACTORS for additional information regarding the Company’s cybersecurity risks. Those sections of Item 1A should be read in conjunction with this Item 1C.