Lumen Technologies, Inc. - (LUMN)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY

Risk management and strategy

As a technology and communications company that globally transmits large amounts of information over our networks, we recognize the critical importance of maintaining the security and integrity of information and systems under our control. We view cybersecurity risk as one of our principal enterprise-wide risks, subject to control and monitoring at various levels of management throughout the Company. We dedicate significant resources towards programs designed to identify, assess, manage, mitigate and respond to cybersecurity threats.

36


As described in Item 1A “Risk Factors,” several features of our operations heighten our susceptibility to cyber-attacks, including (i) our material reliance on our owned and leased networks to conduct our operations, (ii) our transmission of large amounts of data over our systems and (iii) our processing and storage of sensitive customer data. Cyber-attacks on our systems may stem from a variety of sources, including fraud, malice or sabotage on the part of foreign nations, third parties, vendors, or employees and attempts by outside parties to gain access to sensitive data that is stored in or transmitted across our network. Cyber-attacks can take many forms, including computer hackings, computer viruses, ransomware, worms or other destructive or disruptive software, denial of service attacks, or other malicious activities.

To identify, assess and mitigate cybersecurity risk, we have implemented a global information security management program that includes administrative, technical, and physical safeguards. We leverage a defense-in-depth model to identify, detect, protect and respond to threats to our information systems. Our security operations center provides advanced threat detection and response capabilities. We maintain an insider threat program to detect, investigate and mitigate insider threat risks to Lumen assets, data, services and personnel globally.
Our privacy and cybersecurity policies encompass information security, incident response procedures, and vendor management. Our risk management team works closely with our Information Technology, Privacy, Product, and Operations departments to continuously evaluate emerging cyber risk. We monitor existing or proposed privacy and cybersecurity laws, regulations and guidance that are or may be applicable to us in the regions where we operate, including in the European Union and the United Kingdom where we are subject to GDPR, as well as various other laws governing privacy rights, data protection and cybersecurity in other regions. As a U.S. government contractor we are required to comply with extensive governmental regulations and standards regarding cyber security.

We periodically engage both internal and external auditors and consultants to assess and enhance our program. These independent external auditors and consultants are accredited under various information security standards, including those administered by the International Organization for Standardization and the PCI Security Council. These engagements typically include penetration testing, third-party certifications, compliance assessments, audits, and assessments of vulnerabilities and emerging threats. We also periodically deploy our Internal Audit processes to conduct additional reviews and assessments. We also share and receive threat intelligence with government agencies, cyber analysis centers and cybersecurity associations.

As noted elsewhere in this annual report, we are materially reliant on a variety of third-party service providers to operate our business, which exposes us to the risk of cyber incidents impacting those providers’ systems. We have a vendor risk management program that assesses, manages and oversees risks associated with third-party service providers who have access to our data and systems. We maintain ongoing monitoring to ensure their compliance with our cybersecurity standards.

Despite our efforts to prevent security incidents, (i) some of these attacks have resulted in security incidents (although thus far we do not believe that any of these incidents has resulted in a material adverse effect on our operating results or financial condition) and (ii) future security incidents are likely (some of which could have a material adverse effect on our operating results or financial condition). See Item 1A “Risk Factors” for a further discussion of cybersecurity risks.

We maintain an Incident Response Playbook that provides a set of guidelines for our stakeholders to follow when handling any data incident. This Playbook describes how we assess incidents and how our security team shares information about such incidents with others at Lumen, including senior leadership and, if warranted, with some or all members of the Board of Directors. These escalation provisions, together with our Disclosure Controls and Procedures, are designed to ensure that appropriate representatives throughout the Company are available to assess how to respond to such incidents and make any necessary public notifications.

Our Incident Response Team (“CIRT”) is notified of all cybersecurity incidents, and is responsible for detecting and coordinating responses to security incidents. This team regularly assesses its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss response options. The CIRT also addresses each incident, unless it determines that an incident is sufficiently serious. In those instances, it will notify our Cyber Security Watch Team, which is responsible for addressing cybersecurity incidents that raise more significant risks.

37


Our Cyber Security Watch Team (“CSWAT”) is comprised of senior IT, operations, risk, legal and compliance leaders across business segments. In addition to addressing our more significant cyber incidents, CSWAT manages risks from matters related to business continuity, including risks posed by cybersecurity threats, and implements controls to mitigate such operational risks. Among other processes, this team reviews our programs and processes related to information security, third party risk, vendor management, facilities, unplanned downtime, business disruption, business continuity and disaster recovery.

Governance

As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, including Board oversight, executive commitment and employee training. Our Risk and Security Committee, comprised of independent directors from our Board, assists the Board in overseeing our cybersecurity and data privacy risk. Specifically, our Risk and Security Committee, which meets quarterly, (i) receives periodic reports from our Chief Security Officer (“CSO”) on security programs, including incident reports, (ii) reviews risk assessments from information security, privacy, and internal audit management teams with respect to cybersecurity, including the adequacy and effectiveness of the Company’s internal controls regarding cybersecurity; (iii) reviews emerging cybersecurity developments and threats; (iv) reviews compliance with applicable laws and industry standards; and (v) periodically reviews our strategy to mitigate cybersecurity risks, such as our cyber insurance coverage and contingency plans in the event of security incidents or other system disruptions. At least quarterly, our Risk and Security Committee provides reports to the full Board regarding matters recently discussed by the Committee, which enables the full Board to provide additional oversight of our cyber risks and cyber processes. The full Board also reviews our cybersecurity risks in connection with its annual review of our enterprise risk mitigation programs.

Our CSO has worked in the public and private sectors in information security since 1997 and has been a chief security officer since 2017. His technical and process certifications include CISSP, ITIL Foundation, Six Sigma Certified, CISCO CCNP, and CCNA. He oversees the implementation and compliance of our information security standards and mitigation of information security related risks.

We also have management level committees and response teams who support our processes to assess and manage cybersecurity risk as follows:

The Risk Oversight Committee (“ROC”), whose core members include the CFO, Chief Technology Officer, Chief Product Officer, and General Counsel, is responsible for making risk management decisions to ensure consideration of all relevant factors and alignment with our overall risk mitigation strategy. The ROC also oversees key risk management activity to help ensure accountability, adequacy of resourcing, implementation of Company directives, and alignment of oversight provided by the Board and senior management.

The Technology Security and Privacy Council, co-chaired by the CSO, Chief Information Officer, and Chief Privacy Officer, brings together IT, legal and internal audit personnel, and other function leads. The Security and Privacy Council provides a forum for these cross-functional members of management to consider emerging technologies, such as artificial intelligence and emerging cybersecurity risks; review cybersecurity and privacy regulations; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise.

At the day-to-day operational level, we maintain an experienced information security team who are tasked with implementing our privacy and cybersecurity program and support the CSO in implementing our detection, reporting, security and mitigation functions. This team and the CSO work to develop and implement tools and processes designed to assist in identifying, containing and remediating cybersecurity incidents, and periodically retain consultants to assist with these activities. We also periodically hold employee trainings on our privacy, cybersecurity and information management policies, conduct phishing tests and generally seek to promote a company-wide awareness of cybersecurity risk through broad-based communications and educational initiatives.

38