VERIZON COMMUNICATIONS INC - (VZ)
10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity
Cybersecurity Program
Verizon’s comprehensive cybersecurity program is designed to identify and protect against cybersecurity risks and to position Verizon to rapidly detect, respond to, and recover from cybersecurity incidents that impact our company. The program is built on the following pillars:
•NIST Cybersecurity Framework. Our program is aligned to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, which outlines the core components and responsibilities necessary to sustain a healthy and well-balanced cybersecurity program.
•Risk identification. We continually assess the cybersecurity threat and vulnerability landscape using various commercial, government and publicly available information sources.
•Risk detection. We use both manual and automated detection methods on a scheduled and ad-hoc basis to identify vulnerabilities within, and threats to, our operations and network infrastructure.
•Risk evaluation. Once a cybersecurity vulnerability is detected, we assign a threat severity classification based on the risk profile associated with the vulnerability.
18
•Remediation. Verizon’s information security team reports all cybersecurity vulnerabilities and their associated threat classification to the appropriate business team for remediation. Deadlines for remediation are set based on the severity of the threat and closely tracked in a central system of record. In the instances when a remediation deadline cannot be met, the information security team and the business team work together to deploy appropriate mitigating or compensating controls until the remediation work is complete.
•Metrics and analysis. We track the performance of our cybersecurity program by collecting, retaining and analyzing a broad range of data related to our threat identification, detection and response activity. We use this data to assess threat trends, for strategic planning purposes and to enhance management accountability for cybersecurity.
Verizon has a comprehensive enterprise cybersecurity incident response plan, which is activated in the event of a cybersecurity incident. The plan is a detailed playbook that specifies how Verizon classifies, responds to, and recovers from cybersecurity incidents and includes notification procedures that vary depending on the significance of the incident. When warranted by the severity of the incident, our Chief Executive Officer and other senior executives are part of the notification chain.
Verizon validates enterprise cybersecurity maturity every two years through a third-party maturity assessment. This assessment measures Verizon’s ability to identify, prevent, detect, respond to, and recover from threats to systems, assets and data. The results of the assessment serve as the baseline for enterprise cybersecurity across the company. In addition to this baseline, certain subsets of our technology environment are subject to incremental cybersecurity certification and periodic third party validation under applicable regulatory or contractual requirements.
Integrated Cybersecurity Risk Management
Verizon’s Senior Vice President and Chief Information Security Officer (CISO) has responsibility for the management of cybersecurity risks at Verizon. The CISO and their team are responsible for Verizon’s information security strategy, policy, standards, architecture and processes.
The CISO brings nearly two decades of cybersecurity experience to their work at Verizon. Prior to joining Verizon, they held executive-level cybersecurity roles at other large public companies, where they were responsible for cybersecurity strategy and operations, including incident response, threat intelligence, security services, architecture, commercial operational technology security, and regulatory and compliance matters.
Verizon effectuates cybersecurity management by providing for close cooperation among the CISO’s team and other teams within the company, as well as by integrating cybersecurity risk into Verizon’s overall enterprise risk management structures and processes. Each of our business units and certain functional groups have a Business Information Security Officer, who is an integral member of that unit or group, but reports to the CISO. This structure provides the CISO with line of sight across the enterprise. The CISO and members of their leadership team also meet regularly with business unit senior leaders, including the CEO, the Chief Financial Officer and the Chief Human Resources Officer, to discuss business priorities, emerging threats and trends, and the performance of the cybersecurity program.
The Verizon Executive Security Council (VESC) oversees and evaluates the work of the CISO and their team. The VESC is jointly chaired by the presidents of Verizon Global Services and Global Networks and Technology and includes Verizon’s Chief Compliance Officer, Chief Legal Officer, Senior Vice President of Internal Audit and senior executives in business and technology functions. The VESC provides oversight of all aspects of Verizon’s cybersecurity program and, at regular intervals throughout the year, evaluates key cybersecurity metrics as well as planned and ongoing initiatives to reduce cybersecurity risks.
Verizon’s Management Audit Committee (VMAC), which includes our Chief Financial Officer, Senior Vice President of Internal Audit and other senior executives, is responsible for overseeing components of our overall risk management strategy. The VMAC receives quarterly updates from the CISO on Verizon’s cybersecurity program.
Verizon also operates a robust internal audit program. Each year, Verizon’s internal audit team conducts an overall business risk assessment, which includes an evaluation of cybersecurity risks. The results of the assessment are presented to the leaders of the relevant business teams, who are responsible for prioritizing and addressing the risks identified.
Board Oversight of Cybersecurity Risk
The Audit Committee of the Board of Directors (Board) has primary responsibility for overseeing Verizon’s risk management and compliance programs relating to cybersecurity and data protection and privacy.
As part of the Board’s oversight of risks from cybersecurity threats, the CISO leads an annual review and discussion with the full Board dedicated to Verizon’s cybersecurity risks, threats and protections. The CISO provides a mid-year update to this annual review to the Audit Committee and, as warranted, additional updates throughout the year. The Audit Committee also receives a report from senior management on Verizon’s cybersecurity posture and related matters at each of its other meetings during the year at which the CISO is not present.
19
Supplier Risk Management
We have implemented processes to identify and manage risks from cybersecurity threats associated with our use of third-party service providers. The Verizon Supplier Risk Management Program establishes governance, processes and tools for managing various supplier-related risks, including information security. As a condition of working with Verizon, suppliers who access sensitive business or customer information are expected to meet certain information security requirements.
Risks from Cybersecurity Threats
We are subject to increasing and evolving cybersecurity threats as cyber attacks against companies, including Verizon, have increased in frequency, scope and potential harm in recent years. While, to date, we have not been subject to cyber attacks that, individually or in the aggregate, have been material to Verizon's operations or financial condition, there can be no guarantee that we will not experience such an incident in the future. For more information on the risks from cybersecurity threats that we face, refer to “Risk Factors — Operational Risks — Cyber attacks impacting our networks or systems could have an adverse effect on our business” in Part I, Item 1A of this Annual Report on Form 10-K.