AMERICAN TOWER CORP /MA/ - (AMT)
10-K Filing Date: February 27, 2024
ITEM 1C.CYBERSECURITY
As part of our enterprise risk management, we maintain a comprehensive cybersecurity program that proactively monitors, assesses, identifies, mitigates and responds to cybersecurity threats, including threats relating to disruption of business operations or financial reporting systems, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal and reputational risks, and that emphasizes governance and compliance. Our cybersecurity program and related cybersecurity policies are reviewed annually.
Governance
Board of Directors
Our cybersecurity program is overseen by the independent Audit Committee of our Board. Our Chief Information Security Officer (“CISO”) presents a quarterly report of cybersecurity updates to the Audit Committee. Each quarter, the Board receives a report from the Audit Committee chair on items covered during that quarter’s meeting. In 2023, the topics included our focus on cybersecurity resilience, our approach to responsible use of Artificial Intelligence and the new cybersecurity disclosure rules. Our Board's and Audit Committee’s inputs are key components in the development of our long-term cybersecurity strategy, aligning the program’s goals within our risk tolerance.
In addition, a biennial cybersecurity risk assessment is completed with an external third party to provide us with a more complete view of our cybersecurity risk. We retain a prominent cybersecurity consulting firm to assist with, and advise on, our cybersecurity and incident response program. We engage on a quarterly basis with our auditors on matters regarding cybersecurity and maintain a robust control environment, in compliance with the Sarbanes-Oxley Act of 2002, as amended, that includes controls to protect the confidentiality, integrity and availability our data.
Management
We, along with CoreSite, our data centers operations subsidiary, each maintain a management information security steering committee. We maintain two steering committees because of the distinct nature of CoreSite’s business. Each committee works in collaboration with the other, including through the overlap of certain key steering committee members. Each committee meets quarterly. These committees provide direction and support for our and CoreSite’s security initiatives and review operational metrics.
Our steering committee includes our CISO, our Chief Information Officer, our Chief Risk Officer, our Chief Technology Officer, our Senior Counsel—Corporate Legal, CoreSite’s Senior Vice President of IT & Digitization and CoreSite’s Vice President of Information Security and IT Infrastructure, each of whom has experience, both at American Tower and in prior roles, related to cybersecurity. Our CISO has 25 years of experience in cybersecurity, previously holding positions in the cybersecurity service provider space and at a software security firm. Our Chief Information Officer has held IT leadership positions across large, multi-national companies for nearly three decades, where he has overseen cybersecurity programs. Our Chief Risk Officer has nearly 40 years of risk and audit experience, including oversight of IT audit, with experience at a leading public accounting firm as well as one of the world’s largest computer storage and software companies. Our Chief Technology Officer has over 30 years of experience in the technology space, including leadership roles with wireless carriers and chip manufacturers, where cybersecurity was critical to the delivery of secure solutions. Our Senior Counsel—Corporate Legal also serves as our lead Privacy Officer and is a lawyer who has led our privacy program since its inception. CoreSite’s Senior Vice President of IT & Digitization has led CoreSite’s IT function for over 5 years, including having responsibility for securing the business’s cybersecurity environment. CoreSite’s Vice President of Information Security and IT Infrastructure has over 25 years of experience building secure IT solutions across large network and data center environments and has been responsible for the day-to-day operation of CoreSite’s business-critical IT environment since 2015.
22
CoreSite’s steering committee includes CoreSite’s Chief Executive Officer, its Chief Accounting Officer, its Chief Revenue Officer, its Senior Vice President of IT & Digitization, its Vice President of Legal, its Senior Vice President of Development & Product Engineering, its Senior Vice President of Data Center Operations, its Senior Vice President of Human Resources, its Vice President of Compliance & Internal Controls, its Senior Vice President of Finance & Corporate Development, its Vice President of Information Security and IT Infrastructure, its Director of Compliance & Internal Controls, and American Tower’s CISO. Each of CoreSite’s steering committee members has been chosen based on their understanding of, and participation in, maintaining the rigorous control environment necessary to achieve the list of certifications detailed below.
Risk Management and Strategy
As part of our risk management strategy, we maintain an insurance policy to cover cybersecurity incidents.
CoreSite maintains several certifications related to cybersecurity processes for nearly all of its data center facilities, including: (i) System and Organization Controls (SOC) 1 Type 2 examination; (ii) SOC 2 Type 2 examination; (iii) International Organization for Standardization (ISO/IEC 27001); (iv) National Institute of Standards and Technology Publication Series 800-53 (NIST 800-53) attestation based on the high-impact baseline controls and additional Federal Risk and Authorization Management Program (FedRAMP) requirements for a subset of control families applicable to colocation services; (v) Payment Card Industry Data Security Standard (PCI DSS) validation; and (vi) Health Insurance Portability and Accountability Act (HIPAA) attestation for the HIPAA Security Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification requirements.
Our cybersecurity awareness program provides training for all global employees at onboarding and subsequently three times every year. In 2023, across our organization, employees completed over 16,000 training classes related to cybersecurity. Additionally, in 2023, to elevate cybersecurity awareness, we also conducted live training as part of our Employee Development program, sent monthly phishing tips to all employees and provided weekly communications during October, which is cybersecurity awareness month.
Operationally, we, along with CoreSite, each perform periodic penetration testing to identify weaknesses in systems and networks so that they can be addressed appropriately. At least once per year, we also engage an outside cybersecurity firm to perform independent testing. Our vulnerability management program is in place to adequately identify, classify, prioritize and remediate vulnerabilities affecting assets. Our security operations program monitors our systems and networks, and is responsible for investigating, responding to, and reporting any potential security incidents in a timely manner. Our Incident Response Plan includes steps to determine materiality of any such incident and escalate matters to the Board and our employees are regularly trained on the plan. We conduct an incident response exercise at least annually to ensure a timely, consistent and compliant response. In 2023, we performed two separate exercises: (1) a crisis management tabletop exercise that simulated a ransomware incident and included participation from our management, including our CEO and CFO, and (2) an IT-focused tabletop which simulated multiple types of cybersecurity incidents, including (a) compromised credentials, (b) brute force attack, (c) uncleaned malware and (d) ransomware. Both of these tabletop exercises were facilitated by a third-party.
Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party vendors and service providers. We have in place a Third-Party Cybersecurity Risk Management program to assess the cybersecurity practices of third-party vendors and service providers with access to our and CoreSite’s systems or information.
We have not been materially impacted by any cybersecurity threats or prior cybersecurity incidents, including with respect to our business strategy, results of operations or financial condition. However, we cannot provide assurance that we will not be materially affected in the future by such risks, threats or any future material incidents. See “Risk Factors” in Item 1A of this Annual Report on Form 10-K for more information on our cybersecurity-related risks.