CROWN CASTLE INC. - (CCI)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Our company maintains a comprehensive Information Security Program ("IS Program") focused on detection, assessment and mitigation of cybersecurity risks. Our dedicated enterprise security team, led by our Chief Information Security Officer ("CISO"), administers the IS Program and is responsible for identification, investigation and response to cyber threats and vulnerabilities. The enterprise security team also implements, manages, and assesses our company's cyber policies, standards and procedures, which leverage our team's expertise and the National Institute of Standards and Technology Cybersecurity Framework. We have developed an incident response plan to handle suspected loss of, or unauthorized access to, information. We regularly conduct tabletop exercises, red team exercises, simulations, and other exercises to evaluate the effectiveness of our IS Program and to position our company for a coordinated, strategic response in the event of an actual security incident. All employees are required to complete cybersecurity trainings and employees in higher-risk roles are required to complete additional customized training tailored to address their specific risk exposure. Our Security Operations Center ("SOC"), which operates 24 hours a day, 365 days a year, is designed to provide visibility of security events across the company and a mechanism for swiftly addressing cyber threats before they compromise data security. Through a combination of a threat management platform and our team of cybersecurity specialists, our SOC continuously monitors and proactively isolates and analyzes cybersecurity alerts to help us address cybersecurity risks.
The identification, assessment and management of cybersecurity risks are integrated into our existing enterprise risk management ("ERM") framework. Cybersecurity related risks are included in the risk universe that the ERM function evaluates to assess top risks to the enterprise on an annual basis, which are presented to and reviewed by the Audit Committee.
We engage third-party providers to conduct evaluations of our security controls, including through vulnerability assessments and penetration testing, independent audits or consulting on best practices. These evaluations include testing both the design and operational effectiveness of security controls. Additionally, our internal audit team regularly evaluates the effectiveness of the IS Program, with results reported to the board of directors.
We also have policies and procedures in place to manage cybersecurity risks associated with third-party service providers. We impose security requirements on our suppliers, which include maintaining a security management program, complying with information handling requirements, and notifying us in the event of any known or suspected cyber incident. Where appropriate, we assess third-party cybersecurity controls and include security and privacy addenda to our vendor contracts.
Our CISO reports directly to our Executive Vice President and Chief Information Officer ("CIO"), who reports to our CEO. Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication with and reporting from the enterprise security team, many of whom hold cybersecurity certifications, and through the use of technological tools and software and results from third-party assessments. Our CISO and CIO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CISO has 25 years of cybersecurity experience, including having served as Chief Technology Officer/CISO and co-founder of two cybersecurity companies, during which time he provided cybersecurity consulting services to Fortune 500 companies and taught digital and network forensics course at the National Computer Forensics Institute. Prior to joining our company, our CISO served as the Director of Security Services for a large network infrastructure company and our CIO was responsible for network security policies, technology, and operations, including intrusion detection systems and conduct penetration testing, at another large public company. The CIO (and previously, Vice President, Audit and Security) periodically reports to the Audit Committee regarding cybersecurity risk exposure and risk mitigation strategies. The board of directors also may review and assess cybersecurity risks in connection with its review of our company's mission critical risks.
While we have not, as of the date of this 2023 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. See "Risk Factors" for more information on our cybersecurity risks.