TELEPHONE & DATA SYSTEMS INC /DE/ - (TDS)
10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
The TDS information security program aligns with the National Institute of Standards and Technology (NIST) cybersecurity framework. Risk assessments are conducted periodically leveraging this standard and are integrated into the TDS Enterprise Risk Management (ERM) program. The assessment results are used to drive continuous improvement in the TDS cybersecurity control environment, as well as to manage potential data security risks of third-party service providers. TDS assesses the threat and vulnerability landscape using various commercial, government, vendor and publicly available information sources and tools. TDS manages these evolving risks through ongoing investments in the security program including active monitoring of the internal data environment and the environments of third-party service providers who manage sensitive data. In addition, TDS Information Technology leaders conduct regular cyber incident simulations to ensure preparedness in the event of a cyber-attack. TDS leverages external parties to perform independent assessments and tests of security controls in the environment.
TDS’ Information Technology Security leaders are responsible for assessing and managing cybersecurity risks. Management has a depth of cybersecurity experience focused on increasing the organization's resilience to security threats and stays current on new developments through continuing education and monitoring of the cybersecurity landscape. The TDS environment is monitored for potential security threats and security events are investigated and acted on to minimize potential risk to the environment.
The full Board of Directors engages in oversight of TDS' cybersecurity risks. The Board of Directors receives regular updates from management on technology and security updates and TDS’ assessment of cybersecurity threats and mitigation plans. The TDS Audit Committee oversees the processes over internal controls and financial reporting that includes controls and procedures that are designed to ensure that significant cybersecurity incidents are communicated to both senior management and the Audit Committee. Cybersecurity is also discussed with the Technology Advisory Group of the Board of Directors as warranted, at least on an annual basis.