T-Mobile US, Inc. - (TMUS)
10-K Filing Date: February 02, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our Cybersecurity Approach and Integration
We have implemented processes for overseeing and identifying material risks from cybersecurity threats, and our cybersecurity processes are integrated into the Company’s overall risk management system and processes. As part of management’s oversight of cybersecurity, our Chief Security Officer (“CSO”) presents on our cybersecurity practices to the Nominating and Corporate Governance Committee of our Board of Directors (the “NCG Committee”) and to our full Board of Directors on a periodic basis. Our Senior Vice President, Internal Audit & Risk Management (the “Chief Audit Executive”), periodically presents
24
enterprise risks, including cybersecurity risks, to the Audit Committee of our Board of Directors (the “Audit Committee”). Our Chief Compliance Officer regularly attends meetings at the NCG Committee providing insights from the compliance perspective relating to cybersecurity.
Cyber risk management is a core component of the Company's governance structure. We utilize the National Institute of Standards and Technology’s Cybersecurity Framework (“NIST CSF”) as a guide in cyber risk management to identify, assess, and assist the CSO in managing cybersecurity risks. Cyber risk management encompasses partnerships among teams that are responsible for cyber governance, prevention, detection, and remediation activities within the Company’s cybersecurity environment. As part of our cyber risk management efforts, we conduct periodic reviews and collaborate with enterprise-wide risk assessments to assess and manage cybersecurity risks. Our cybersecurity team also provides enterprise-wide cybersecurity training for employees to continuously improve our mitigation against human-driven vulnerabilities.
Our management also conducts a quarterly enterprise-wide risk assessment that considers a wide spectrum of risks facing the Company, including cybersecurity. Through these quarterly risk assessments, management informs the Audit Committee on the cyber risk landscape facing the Company and the Company’s preparedness to manage such risk. The enterprise-wide risk assessment is a top-down risk assessment that leverages the assessments performed by cyber risk management.
Engagement with External Experts
The Company engages top-tier external cyber security firms, as needed, leveraging their expertise as part of our ongoing effort to evaluate and enhance our cybersecurity program. They help with cyber defense capabilities (including staff enhancement of certain functions) and transformation to mitigate associated threats, reduce risk, enhance our cybersecurity posture, and meet the Company's evolving needs.
Oversight of Third-Party Service Providers
Our third-party risk management program includes processes for identifying and managing material cybersecurity risks arising from third-party providers. Our third-party risk management program actively engages with the enterprise-wide risk assessment process and partners with cyber risk management to report relevant risks to the NCG Committee, the Audit Committee and our internal Enterprise Risk & Compliance Committee. Our third-party risk management program includes cybersecurity as an aspect of its risk assessment of third parties with the objective that key risks are identified and addressed. Moreover, the program also considers risks associated with certain fourth parties, entities that are partners or subcontractors of our direct third-party vendors, through assessments carried out by our third-party service providers.
Cybersecurity Incident Impact
As previously disclosed, in August 2021, we experienced a cybersecurity incident that resulted in numerous lawsuits, including mass arbitration claims and multiple class action lawsuits. In January 2023, we experienced another cybersecurity incident that also resulted in consumer class actions and regulatory inquires. As a result of the August 2021 cyberattack and the January 2023 cyberattack, we have incurred and may continue to incur significant costs or experience other material financial impacts, which may not be covered by, or may exceed the coverage limits of, our cyber liability insurance, and such costs and impacts may have a material adverse effect on our business, reputation, financial condition, cash flows and operating results. For additional details regarding the impact of both cybersecurity incidents, see Note 17 – Commitments and Contingencies of the Notes to the Consolidated Financial Statements.
We have not identified other known risks from previous cybersecurity threats that have materially affected or are reasonably likely to materially affect us. However, we face ongoing risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect business strategy, results of operations, or financial condition. See “Risk Factors – We have experienced criminal cyberattacks and could in the future be further harmed by disruption, data loss or other security breaches, whether directly or indirectly through third parties whose products and services we rely on in operating our business.”
Governance
Disclosure of Management’s Responsibilities
Transformation and Chief Information & Digital Officer
The Transformation and Chief Information & Digital Officer under the direction of the Company’s Chief Executive Officer, is responsible for overseeing the Company’s information technology systems, digital capabilities, and cybersecurity practices. The
25
CSO, under the direction of the Transformation and Chief Information & Digital Officer, is responsible for overseeing the cybersecurity organization and promoting a security-centric culture throughout our business and operational functions. The CSO is at the forefront of enhancing our cybersecurity framework and strengthening the overall cybersecurity program. This involves upgrading tools and capabilities, which are part of a broader, multi-year strategy to continue to enhance security measures. The CSO oversees the cyber risk management function, which identifies cybersecurity threats, assesses cybersecurity risks and supports the Transformation and Chief Information & Digital Officer and the Company in managing such risks.
As the Company’s Executive Vice President, Transformation and Chief Information & Digital Officer, Néstor Cano has served in several leadership positions at both the Company and Sprint, including as Sprint’s Chief Operating Officer, overseeing, among other things, Sprint’s digital architecture and delivery. Mr. Cano studied industrial engineering at Barcelona Polytechnic University, attended the Executive Distribution Academy by INSEAD Business School in Fontainebleau, France, and also completed his post-graduate degree in executive management at IESE Business School in Barcelona, Spain.
As the Company’s CSO, Jeff Simon has extensive experience in risk management and information security, including serving as the Chief Information Security Officer at Fidelity National Information Services, Inc. Mr. Simon received his Master of Science in Computer Science, Software Engineering & Artificial Intelligence from the Johns Hopkins Whiting School of Engineering and Bachelor of Science in Business Administration and Applied Economics from Marquette University. Mr. Simon is a Certified Information Systems Security Professional.
Enterprise Risk & Compliance Committee
Our Enterprise Risk & Compliance Committee is comprised of a collective of senior management representatives and subject matter experts from across the Company. The Enterprise Risk & Compliance Committee is chaired by the Chief Financial Officer (“CFO”) of the Company, with the Executive Vice President & General Counsel as the co-chair and comprises core members including the Transformation and Chief Information & Digital Officer, while the CSO serves in an advisory capacity. The purpose of the Enterprise Risk & Compliance Committee is to oversee and govern the Company’s risk management, environmental, social, corporate governance, cybersecurity, and operational compliance activities, as well as provide a means of bringing risk issues to the attention of management. Specific to cybersecurity, the Transformation and Chief Information & Digital Officer and the CSO have the expertise to provide insights into the nature of cyber threats, the Company’s readiness, and actions taken to mitigate such risks.
Disclosure of the Board’s Roles and Responsibilities
Our Board of Directors oversees risks from cybersecurity threats using a multi-faceted approach that involves the NGC Committee and Audit Committee and various executive roles. Additionally, our Transformation and Chief Information & Digital Officer and CSO report on cybersecurity to the full Board.
Nominating and Corporate Governance Committee
The NCG Committee oversees risks associated with data privacy and information security, which encompasses cybersecurity. Our CSO and Chief Compliance Officer, among other executives, provide periodic reports to the NCG Committee and also meet with the NCG Committee to discuss any material events when they arise. The periodic reports are designed to keep the NCG Committee abreast of the Company’s cybersecurity practices, risks and trends in cybersecurity threats. The NCG Committee also has discussions with management focused on evaluating the Company’s exposure to cybersecurity risks and cybersecurity practices in place to mitigate such risks. These discussions enable the NCG Committee to be informed of the steps management is taking to detect, monitor and manage cybersecurity risks. These reports to the NCG Committee typically include information on any significant incidents that have occurred, how they were managed, and any changes to the risk profile of the Company. The NCG Committee seeks updates to facilitate proactive governance and to allow the NCG Committee to address emerging cybersecurity issues with management.
Audit Committee
The Audit Committee is integral to overseeing the Company’s overall risk management strategies, including cybersecurity risks and disclosures. To keep the Audit Committee informed, the Chief Audit Executive maintains a direct and open communication channel with the Audit Committee. Regular meetings are held for the Chief Audit Executive to report to the Audit Committee. These include an enterprise-wide risk assessment that highlights cybersecurity risks and cybersecurity risk mitigation actions. Additionally, the Audit Committee receives updates on significant incidents and cybersecurity risks that have been presented to or discussed with the Enterprise Risk and Compliance Committee.
26