AT&T INC. - (T)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY

Governance

Board and Audit Committee Oversight
Our Board of Directors has delegated to the Audit Committee the oversight responsibility to review and discuss with management the Company’s privacy and data security, including cybersecurity, risk exposures, policies and practices, and the steps management has taken to detect, monitor and control such risks and the potential impact of those exposures on our business, financial results, operations and reputation. The full Board and Audit Committee regularly receives reports and presentations on privacy and data security, which address relevant cybersecurity issues and risks and span a wide range of topics. These reports and presentations are provided by officers with responsibility for privacy and data security, who include our Chief Information Security Officer (CISO), Chief Technology Officer (CTO) and AT&T’s Legal team. In addition to regular reports to the Audit Committee, we have protocols by which certain security incidents are escalated within the Company and, where appropriate, reported in a timely manner to the Audit Committee.

Chief Security Office/CISO
We maintain a Chief Security Office (CSO), which is charged with management-level responsibility for all aspects of network and information security within the Company. Led by our CISO and comprised of a large team of highly trained security professionals across multiple countries, the CSO is responsible for:
a.establishing the policies, standards and requirements for the security of AT&T’s computing and network environments;
b.protecting AT&T-owned and -managed assets and resources against unauthorized access by monitoring potential security threats, correlating network events, and overseeing the execution of corrective actions;
c.promoting compliance with AT&T’s security policies and network and information security program in a consistent manner on network systems and applications; and
d.providing security thought leadership in the global security arena.

Our CISO plays the key management role in assessing and managing our material risks from cybersecurity threats. The CISO also works closely with AT&T Legal to oversee compliance with legal, regulatory and contractual security requirements. The CISO has extensive technical leadership experience and cybersecurity expertise, gained from approximately 20 years of experience, including serving as the Chief Information Security Officer and Director of the Office of Cybersecurity at a U.S. government agency, in addition to serving as the Chief Information Security Officer of two large public companies. Prior to that, he served for 20 years in the U.S. military, in various information technology roles of increasing seniority. The security professionals in the CSO have cybersecurity backgrounds and expertise relevant to their roles, including, in certain circumstances, relevant industry certifications.

Risk Management and Strategy
We maintain a network and information security program that is reasonably designed to protect our information, and that of our customers, from unauthorized risks to their confidentiality, integrity, or availability. Our program encompasses the CSO and its policies, platforms, procedures, and processes for assessing, identifying, and managing risks from cybersecurity threats, including third-party risk from vendors and suppliers; and the program is generally designed to identify and respond to security incidents and threats in a timely manner to minimize the loss or compromise of information assets and to facilitate incident resolution.

We maintain continuous and near-real-time security monitoring of the AT&T network for investigation, action and response to network security events. This security monitoring leverages tools, where available, such as near-real-time data correlation, situational awareness reporting, active incident investigation, case management, trend analysis and predictive security alerting. We assess, identify, and manage risks from cybersecurity threats through various mechanisms, which from time to time may include tabletop exercises to test our preparedness and incident response process, business unit assessments, control gap analyses, threat modeling, impact analyses, internal audits, external audits, penetration tests and engaging third parties to conduct analyses of our information security program. We conduct vulnerability testing and assess identified vulnerabilities for severity, the potential impact to AT&T and our customers, and likelihood of occurrence. We regularly evaluate security controls to maintain their functionality in accordance with security policy. We also obtain cybersecurity threat intelligence from recognized forums, third parties, and other sources as part of our risk assessment process. In addition, as a critical infrastructure entity, we collaborate with numerous agencies in the U.S. government to help protect U.S. communications networks and critical infrastructure, which, in turn, informs our cybersecurity threat intelligence.
15

AT&T Inc.
Dollars in millions except per share amounts

With respect to incident response, the Company has adopted a Cybersecurity Incident Response Plan, as well as a Data Privacy Incident Response Plan that applies if customer information has been compromised (together, the “IRPs”), to provide a common framework for responding to security incidents. This framework establishes procedures for identifying, validating, categorizing, documenting and responding to security events that are identified by or reported to the CSO. The IRPs apply to all AT&T personnel (including contractors and partners) that perform functions or services that require securing AT&T information and computing assets, and to all devices and network services that are owned or managed by the Company.

The IRPs set out a coordinated, multi-functional approach for investigating, containing, and mitigating incidents, including reporting findings to senior management and other key stakeholders and keeping them informed and involved as appropriate. In general, our incident response process follows the NIST (National Institute of Standards and Technology) framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation.

Impact of Cybersecurity Risk
In 2023, we did not identify and were not aware of any cybersecurity breaches that we believe have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. For a discussion of cybersecurity risk, please see the information contained under the heading “Cyberattacks impacting our networks or systems may have a material adverse effect on our operations” of Item 1A.