SHENANDOAH TELECOMMUNICATIONS CO/VA/ - (SHEN)
10-K Filing Date: February 21, 2024
ITEM 1C.CYBERSECURITY
Risk Management & Strategy
Shentel’s Risk Management Program defines the framework for risk identification and assessment, including cybersecurity risks. Our overall Risk Management Program integrates processes for assessing, identifying and managing material risks from cybersecurity threats. Cybersecurity risks are identified through various means including, but not limited to, regularly conducted security assessments, external and internal penetration testing, data privacy assessments, external security evaluations, the testing and implementation, as applicable, of new technologies, and continuing education and awareness of existing and new threat vectors, industry trends, changes in the environment and changes in the overall technology landscape. Pursuant to our Information Security Program, once a cybersecurity risk is identified, the Information Security team, in collaboration with other areas of the organization, will assess the risk and implement an appropriate response. Security risk assessments comprise the reasonably foreseeable impacts to the Company and its stakeholders due to the threats and known vulnerabilities associated with the operation and use of information systems and the environments in which those systems operate.
To mitigate or address risks, Shentel leverages acceptable and well-known security tools and services allowing Shentel to maintain a robust security posture. Our Information Security Program addresses risks through a wide spectrum of measures, including enhanced monitoring, endpoint protection, multifactor authentication, privileged account security, web and email filtering and comprehensive internal employee training. Our security protocols are rooted in industry standards and guidelines issued by respected bodies such as the National Institute of Standards and Technology, the Department of Homeland Cybersecurity and Infrastructure Security Agency, and the Center for Internet Security. In addition, we regularly consult with external advisors regarding opportunities to enhance and strengthen our policies and practices.
With respect to third-party service providers, our Information Security Program includes conducting due diligence of relevant service providers’ information security programs prior to onboarding. We also contractually require third-party service providers with access to our information technology systems, sensitive business data or personal information to implement and maintain appropriate security controls and contractually restrict their ability to use our data, including personal information, for purposes other than to provide services to us, except as required by law. To oversee the risks associated with these service providers, we work with them to help ensure that their cybersecurity protocols are appropriate to the risk presented by their access to or use of our systems and/or data, including notification and coordination concerning incidents occurring on third-party systems that may affect us. Our service providers are contractually required to notify us promptly of actual or reasonably suspected information security incidents occurring on their systems that may affect our systems or data, including personal information.
Should a security breach or incident occur, the Chief Information Officer (the “CIO”) in collaboration with the Company’s General Counsel, Chief Accounting Officer (the “CAO”) and Chief Operating Officer (the “COO”) will
29
evaluate the materiality of any specific incident. The Company’s Chief Executive Officer (the “CEO”) and Chief Financial Officer (the “CFO”) will ultimately decide if an incident is material. Considerations of materiality will include a variety of factors, including, for example, the extent of expected financial cost, customers impacted, operational impacts, and/or data exposed or lost as a result of the incident.
The Information Security Program is intended to provide effective governance and oversight for assessing cybersecurity risks, recognizing that no program, no matter how well designed and implemented, can prevent all potential cybersecurity risks and that the benefits of any potential controls or mitigations should be considered in relation to their costs. While we have experienced cybersecurity incidents in the past, to date, cybersecurity incidents and threats have not materially affected our business strategy, results of operations or financial condition. Although we have invested in the protection of our data and information technology and monitor our systems on an ongoing basis, there can be no assurance that such efforts will in the future prevent material compromises to our information technology systems that could have a material adverse effect on our business. For more information on our cybersecurity related risks, see Item 1A. Risk Factors of this Form 10-K.
Governance
Our Board of Directors has risk oversight responsibility for the Company and administers this responsibility both directly and with assistance from its committees. If applicable, these committees periodically report to the Board of Directors on their risk oversight activities. Cybersecurity is a critical component of our enterprise risk management program and our Board of Directors is involved in reviewing our information security and technology risks and opportunities (including cybersecurity) and discusses these topics on a regular basis. The Audit Committee, comprised solely of independent directors, oversees our enterprise risk management process and assists the Board of Directors in fulfilling its oversight responsibility with respect to our information security and technology risks, including cybersecurity.
Our Director of Information Security leads the Information Security Program and reports to the CIO, who also provides additional oversight of the Program. The Director of Information Security has over 18 years of experience in the information technology and information security fields and the CIO has over 28 years of experience in the information technology and information security fields. In addition, we have established a Security Steering Committee that provides guidance and direction to the CIO regarding the Information Security Program, including approval of the Program mission and its objectives. The Security Steering Committee meets at least quarterly and its membership includes, at a minimum, the Director of Information Security, the CIO, the COO, the CFO, the Sr. Vice President of Engineering and Operations, the VP of Legal/General Counsel and the CEO. Information security risks are reviewed with the Security Steering Committee periodically or as needed.
The CIO, in connection with the General Counsel and CEO, updates the Audit Committee periodically on cybersecurity and other information technology risks and opportunities. Additionally, the Audit Committee, with guidance from the CIO, General Counsel and CEO, provides updates to the Board of Directors on the Information Security Program at least annually. In the case of an information security incident or breach, the Director of Information Security and CIO will follow the Company’s Incident Response Plan and follow communication protocols within the plan, which, depending on the severity of the incident, include escalation timelines and responsibilities that involve updating the Audit Committee and the Board of Directors, as applicable.
30