Cable One, Inc. - (CABO)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We employ a layered security approach leveraging people, process and technology — structuring our cybersecurity program to align with the National Institute of Standards and Technology ("NIST") Cybersecurity Framework ("CSF"). We also intend that our cybersecurity program aligns with applicable laws and regulatory requirements. Our program and the related controls we employ are designed to identify and assess risk with the aim of preventing, detecting or mitigating cybersecurity risks to avoid material harm to our business, customers, associates and other stakeholders.
Our program addresses physical threats caused by infrastructure failures, logical threats caused by threat-actors and viruses, as well as other threats we identify by auditing our operations. We conduct annual assessments of our internal control over financial reporting as required for compliance with the Sarbanes-Oxley Act of 2002. Additionally, we conduct annual self-assessments and annual third-party penetration testing of our cybersecurity controls such as for compliance with Payment Card Industry ("PCI") standards, and otherwise where applicable. Our cybersecurity team also monitors supply chain and third-party cybersecurity risks to minimize the likelihood of business disruption, as well as conducts annual incident response plan rehearsals and risk assessments based on NIST standards, including the CSF.
We have a dedicated internal cybersecurity team that maintains our readiness and security posture by overseeing our cybersecurity program’s information security policies and standards. In doing so, our cybersecurity team works with independent external cybersecurity advisors to develop appropriate standards to identify, assess, mitigate and remediate material cyber risks and issues. For example, PCI standards include quarterly external vulnerability scans that are conducted by a vendor approved by the PCI security standards council. Further, as part of our annual risk assessment controls, we obtain and review the SSAE (SOC-1 Type 2) reports of our key third-party service providers. The annual assessment includes consideration of materiality, identification and prioritization of financial reporting elements ("FREs") using quantitative and qualitative risk factors (including fraud risk), and identification of business processes and information technology systems linked to FREs. The reports are reviewed to identify and evaluate subservice providers, key reports, exceptions and complementary user entity controls and determines the appropriate response on any identified concerns.
We also incorporate intelligence sharing about emerging threats through collaboration with other companies in our industry, consultants and public-private partnerships with government intelligence agencies, such as the Arizona Cyber Threat Response Alliance ("ACTRA") and The Internet and Television Association ("NCTA").
39

Table of Contents
As part of our cybersecurity program, we provide regular training on our information security policies and standards to help further prevent, detect and mitigate cybersecurity risks. We require mandatory cybersecurity, privacy and information handling training for all new associates upon onboarding and annually thereafter for all associates. We also conduct regular training throughout the year for our associates, as well as third-party contractors, on cybersecurity topics. We conduct training on phishing, social engineering and general cybersecurity awareness. To validate the effectiveness of our training, simulated phishing campaigns are conducted periodically for all associates. Additionally, third party software vendors and service providers who have access to our data or systems are obligated to adhere to our information security policies and standards as part of their service agreements.
Cybersecurity Governance
Our Board of Directors (the “Board”) employs a principles-based approach to identify and monitor the myriad of risks impacting the Company, including cybersecurity risks. The executive leadership team monitors our risk environment, including attempting to identify potential unknown risks, and regularly reports on such matters to our Board or committees thereof. We have an enterprise risk management ("ERM") program designed to identify, assess, prioritize, manage and mitigate major risk exposures that could affect our ability to execute on our corporate strategy and fulfill our business objectives. Our ERM program is administered by a risk council made up of members of senior management supported by subject matter experts within our organization. The Board fulfills certain risk oversight functions through its standing committees. Representatives of the risk council report to the Audit Committee on risk exposure, management and tolerance, and related matters. The Audit Committee oversees the risks related to the integrity of the Company’s financial statements and receives an ERM report at least annually. Further, the Company’s Disclosure Controls Committee reports directly to the Audit Committee on certain matters relating to our public disclosures. Our Nominating and Governance Committee has the responsibility of periodically monitoring, reviewing and discussing with management the Company’s cybersecurity preparedness, vulnerabilities, defenses and planned responses, including related risk management programs and practices.
As discussed above, our cybersecurity team oversees information security, cyber and technology risk and IT compliance. As of December 31, 2023, our cybersecurity team consisted of 13 associates with an average of approximately 14 years of cybersecurity experience, all of whom hold college degrees, including three that hold a master’s degree (two of which are in the field of information security), along with 52 professional certifications in aggregate. Our cybersecurity team is led by a Senior Director of Cybersecurity, who reports through one of our Vice Presidents to our Chief Technology and Innovation Officer, who is a member of the executive team.
At least quarterly, our cybersecurity team provides a report to our Nominating and Governance Committee and, at least annually, to the full Board regarding our technology and cybersecurity risk profile, programs and key initiatives, including the maturity of our cybersecurity framework and how we compare to selected industry benchmarks.
Our risk oversight activities, including those related to cybersecurity, are supported by internal reporting structures. These structures include protocols in the event of an incident, including the escalation by the cybersecurity team through its reporting structure to the executive team, our Disclosure Controls Committee, our risk council made up of members of our senior management supported by subject matter experts within our organization that administers our ERM program, our Nominating and Governance Committee and the Board, depending on the level of the threat or incident.
For additional information regarding how cybersecurity threats are reasonably likely to materially affect our business strategy, results of operations or financial condition, see "Risk Factors — Risks Relating to Our Business — We rely on network and information systems and other technology, and a disruption or failure of such networks, systems or technology as a result of cybersecurity incidents, as well as outages, natural disasters (including extreme weather), pandemics, terrorist attacks, accidental releases of information or similar events, may disrupt our business" and "Risk Factors — Risks Related to Our Business — Security breaches and other disruptions, including cyber-attacks, and our actual or perceived failure to adequately protect business and consumer data could give rise to liability or reputational harm."
40

Table of Contents