UNITED STATES CELLULAR CORP - (USM)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
The UScellular information security program aligns with the National Institute of Standards and Technology (NIST) cybersecurity framework. Risk assessments are conducted periodically leveraging this standard and are integrated into the UScellular Enterprise Risk Management (ERM) program. The assessment results are used to drive continuous improvement in the UScellular cybersecurity control environment, as well as to manage potential data security risks of third-party service providers. UScellular assesses the threat and vulnerability landscape using various commercial, government, vendor and publicly available information sources and tools. UScellular manages these evolving risks through ongoing investments in the security program including active monitoring of the internal data environment and the environments of third-party service providers who manage sensitive data. In addition, UScellular Information Technology leaders conduct regular cyber incident simulations to ensure preparedness in the event of a cyber-attack. UScellular leverages external parties to perform independent assessments and tests of security controls in the environment.
UScellular’s Information Technology Security leaders are responsible for assessing and managing cybersecurity risks. Management has a depth of cybersecurity experience focused on increasing the organization's resilience to security threats and stays current on new developments through continuing education and monitoring of the cybersecurity landscape. The UScellular environment is monitored for potential security threats and security events are investigated and acted on to minimize potential risk to the environment.
The full Board of Directors engages in oversight of UScellular's cybersecurity risks. The Board of Directors receives regular updates from management on technology and security updates and UScellular’s assessment of cybersecurity threats and mitigation plans. The UScellular Audit Committee oversees the processes over internal controls and financial reporting that includes controls and procedures that are designed to ensure that significant cybersecurity incidents are communicated to both senior management and the Audit Committee. Cybersecurity is also discussed with the Technology Advisory Group of the Board of Directors as warranted, at least on an annual basis.