ADT Inc. - (ADT)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY.
We view cybersecurity as the prevention and timely detection and correction of any unauthorized occurrence or series of related unauthorized occurrences that are on or conducted through ADT’s information systems and that jeopardizes the confidentiality, integrity, or availability of ADT’s systems or any information residing therein. We believe that the safety, security, and privacy of our customers are fundamental to the services we provide. Our cybersecurity policies guide us as we strive to continuously enhance methods, best practices, and technologies to better monitor and protect customer data and inform and enable customers to make choices about their data privacy. We carefully consider data privacy when developing our own products and when incorporating products provided by our business partners.
Risk Management and Strategy
As part of our Enterprise Risk Management program, ADT identifies, assesses, and develops risk mitigation plans for the company, including those relating to cybersecurity risks. The Company’s Chief Information Security Officer (“CISO”), who is designated as a Certified Information Systems Security Professional (“CISSP”), is responsible for developing and implementing plans and strategies to mitigate these risks. The CISO also leads the Company’s cybersecurity risk assessment, which includes security posture scoring, vulnerability assessments, process maturity, and tooling coverage. As part of this process, ADT uses the following tools and procedures:
utilizing “SecurityScorecard” (a third-party information security company that rates cybersecurity postures of corporate entities for the purposes of third-party management and information technology (“IT”) risk management), which provides an independent external enterprise view of ADT’s security posture with a focus on publicly exposed systems;
assessing, and continuously developing and executing on our preventative and detective controls aligned with the National Institute of Standards and Technology (“NIST”) cybersecurity framework, including an annual audit of these internal controls;
conducting third-party penetration testing;
performing attack and breach simulations; and
working with our cybersecurity vendors to ensure tooling and processes are fully adopted to provide the highest levels of protection.
Governance
Cybersecurity Management Team and Board Oversight
ADT’s Board of Directors, through its Audit Committee, has primary responsibility for overseeing cybersecurity risk management and receives at least annual updates on the status of ADT’s cybersecurity program from our CISO. This update is provided in a special Audit Committee session and includes reports on ADT’s security posture and SecurityScorecard
46


assessment (rating and benchmarking), incident response, and vulnerability management. The Audit Committee reviews and discusses with management the Company’s cybersecurity threats, vulnerabilities, defenses, and planned responses. Additionally, the Audit Committee will receive and discuss reports from management with the purpose of identifying threats and vulnerabilities, and it will monitor the effectiveness and progress of the actions and initiatives undertaken to mitigate such threats. ADT’s Cybersecurity Incident Response Plan has been approved by the Audit Committee. In addition, the Audit Committee participates in ADT’s annual Cybersecurity Incident Tabletop exercises and event simulations.
Our cybersecurity management governance structure is led by a CISO (reporting into the Chief Information Officer) with the support of an established Information Security (“InfoSec”) function that is responsible for maintaining and monitoring ADT’s cybersecurity infrastructure. ADT also has a Data Privacy Officer (reporting into the Chief Legal Officer) whose role is to ensure ADT’s processes and protections over sensitive data comply with applicable data protection rules and regulations. In addition to the activities described above under “Risk Management and Strategy,” we have a cybersecurity council (composed of ADT management with expertise in IT security, compliance, and communications) that meets quarterly to review and discuss compliance, cybersecurity risk, and preventive programs.
ADT also conducts privacy impact assessments and empowers its employees to effectuate these privacy considerations on an ongoing basis. All ADT team members are required to complete and acknowledge annual training to raise awareness of current security risks and behavior and around our Information Security and Privacy policies. Additional education and training are also required for specific groups based on their roles within the organization.
Incident Response and Assessment Policies and Procedures
ADT aligns with industry-standard cybersecurity frameworks designed to protect the company and customer data from unintentional disclosure, cybersecurity events, and other threats of all severity levels. As part of our alignment with these frameworks we have a Cybersecurity Incident Response Plan that outlines actions to be taken after identifying a suspected information security breach and the people responsible for managing those actions. Additionally, this plan outlines communication responsibilities during incidents of all severity levels.
If a materiality assessment is required, the CISO will report such incident to the Chief Legal Officer who will then determine in consultation with other persons as appropriate, without unreasonable delay, whether the incident is material to the Company. The incident materiality determination will be made by considering all relevant quantitative and qualitative factors, on an individual basis and in the aggregate for multiple and/or a series of incidents. While ADT has not experienced a material direct data breach within its infrastructure, a material breach would likely be the result of external and/or internal threats and vulnerabilities to data, systems, websites, and/or products, including ransomware threats, email fraud, phishing attacks, data breaches, and customer product compromises including the theft of data and/or funds.
For additional information regarding how cybersecurity threats have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition, see “Risk Factors—”:
“—Delays, costs, and disruptions that result from upgrading, integrating, and maintaining the security of our information and technology networks and systems could materially adversely affect us
“—If we do not effectively implement our plans to migrate our technology infrastructure to the cloud, we could experience significant disruptions in our operations, which could have a material adverse effect on our results of operations and financial condition
“—Cybersecurity breaches or threats or other unauthorized access or attempts to access to our systems could compromise the security of our systems and otherwise disrupt our normal operations which could have a material adverse effect on our business, results of operations and financial condition,” and
“—Our independent, third-party authorized dealers may not be able to mitigate certain risks such as information technology breaches, data security breaches, product liability, errors and omissions, and marketing compliance”.