CHARTER COMMUNICATIONS, INC. /MO/ - (CHTR)

10-K Filing Date: February 02, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

Cybersecurity risks are classified as a Tier 1 risk within our enterprise risk management program. We are committed to protecting the security and integrity of our systems, networks, databases and applications. We routinely invest to develop and implement numerous cybersecurity programs and processes, including risk management and assessment programs, security and

27


event monitoring capabilities, detailed incident response plans, and other advanced detection, prevention and protection capabilities, including practices and tools to monitor and mitigate insider threats. We regularly assess cybersecurity risks to identify and enumerate threats to us and vulnerabilities these threats can exploit to adversely impact our business operations. In some instances, we engage third parties to conduct or assist us with conducting cybersecurity risk assessments.

Our cybersecurity program employs various risk-tracking tools, industry data, monitoring, detection and response tools, vulnerability scanning, security dashboards and scorecards and other tools to support our continued evaluation of cybersecurity threats and regulatory requirements. Our cybersecurity program addresses the continuously evolving and extensive attack vectors and methods through layered security controls informed by constant threat analysis. Threats include a wide variety of perpetrators aiming for political, personal or financial gain, utilizing a broad set of tactics including ransomware, advanced malware, DDoS, account takeover, phishing/SMSing and social engineering, among others. These risks threaten our internal systems as well as third-party systems that we use and rely upon for the delivery of services and support of our operations. Our risk mitigation techniques include technology risk management, network segmentation, deployment of enhanced detection tools across our network, systems, databases, and applications and monitoring compliance with security standards.

Various security standards provide guidance to telecommunications companies in order to help identify and mitigate cybersecurity risks, including the voluntary framework released by the National Institute for Standards and Technology (“NIST”) in 2014 and updated in 2018, in cooperation with other federal agencies and owners and operators of U.S. critical infrastructure. The NIST cybersecurity framework provides a prioritized and flexible model for organizations to identify and manage cyber risks inherent to their business. Our security infrastructure is comprised of multiple security capabilities designed with a defense-in-depth model informed by the NIST cybersecurity framework, as well as a variety of other industry standards and best practices. The risk-based approach of the NIST cybersecurity framework has enabled us to implement cybersecurity programs tailored to our particular network architectures, customer environments and institutional resources.

Our cybersecurity risk management program also attempts to assess third-party vendor, service provider, business partner and supply chain risk management issues. Our efforts aim to better understand the cybersecurity posture of our third-party vendors, service providers, business partners and suppliers by analyzing their cybersecurity risk management programs. Our third-party cybersecurity risk management processes include reviewing and revising our service provider and vendor management programs and the related agreements to require prompt notification of cyber incidents, outages and software vulnerabilities to facilitate timely assessment and disclosure of third-party cyber risks. Generally, our agreements require our third-party providers to abide by specific privacy, confidentiality and security processes, particularly for third-party data-processing activities. For vendors that offer software as a service solutions involving personal information, our third-party risk management program generally requires third-party attestation of their security practices such as a System and Organization Controls 2 report or ISO27001 certification. Our due diligence and selection processes also require third parties to complete a cybersecurity and data privacy questionnaire that includes questions about contractor track record. Our third-party security reviews are limited by their disclosures; therefore, a risk-based approach is used in making vendor and contractual decisions based on those disclosures and the totality of the circumstances, such as whether the third party will have access to personal information or our network.

As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition.

Governance

Our organizational objectives are aligned to address our cybersecurity risks and management plays a pivotal role in assessing and managing our material risks from cybersecurity threats. Management’s role in assessing and managing material cybersecurity risks includes various management positions and committees responsible for assessing such risks. Our internal processes require escalation of material cybersecurity risks to our executive leadership and Charter's Board of Directors, as well as management and committees who are tasked with the prevention, detection, mitigation and remediation of cybersecurity incidents. These processes provide guidance for consistent and effective incident handling and response and set standards for internal notifications and escalations, as well as external notification considerations with respect to a cybersecurity event or incident requiring disclosure or notification to a state and/or federal agency or affected customers.

Charter's Board of Directors has delegated to the Audit Committee oversight of our privacy and data security, including cybersecurity, risk exposures, policies and practices, including the steps management have taken to detect, monitor and control such risks and the potential impact of those exposures on our business, financial results, operations and reputation. Charter's Audit Committee receives quarterly updates on the enterprise risk management program, including information on cybersecurity risks and initiatives undertaken to identify, assess and mitigate such risks. This cybersecurity reporting may

28


include threat and incident reporting, vulnerability detection reporting, risk mitigation metrics, systems and security operations updates or internal audit observations, if applicable.

We have a unified cybersecurity leadership team, composed of members of our Security Executive Steering Committee (“Security ESC”) to oversee implementation of appropriate cybersecurity protections and promote accountability. The Security ESC is led by senior executives in our information technology ("IT") and network operations groups and is comprised of senior executive leaders across the organization with the goal of driving cybersecurity focus through not just technical teams, but the entire business. The Security ESC reviews and evaluates current cyber threats and risks and improvements to our program and provides quarterly updates to the Chief Executive Officer as well as ad hoc updates on urgent matters. We also have a Cyber Security Council (“CSC”) and Security Operations Steering Committee that, under the direction of the Security ESC, collectively focus on cybersecurity across Charter and the overall protection of our internal network and related processes, policy, training and actions to protect customer and employee data. The CSC is comprised of senior leaders across the organization and operates under the auspices of the Security ESC, which is ultimately accountable under our enterprise risk management program for cybersecurity.

The executive team members overseeing our cybersecurity program are Magesh Srinivasan, Executive Vice President, Network Operations, and Jake Perlman, Executive Vice President, Software Development & IT. Our Security Operations Center and Security Compliance teams (including Software Development and IT and Network Security Operations) are unified under our Chief Information Security Officer, Greg Temm, to provide a centralized view of our risk posture to prevent vulnerabilities and more effectively manage cybersecurity threats across the enterprise.

Mr. Srinivasan is responsible for network operations across our 41-state footprint. He joined Charter in 2016, and most recently served as Senior Vice President in Network Operations, first in Core and Backbone Operations and most recently in Video Operations. Prior to that, he served in several senior engineering roles at Time Warner Cable Inc. ("TWC"), including as Group Vice President of Commercial Engineering and Operations, Vice President of Commercial Engineering for TWC’s West Region, and Director in the Texas Region. Mr. Srinivasan began his career at Sprint Corporation in a series of engineering roles with increased responsibility. He received a bachelor of science from Anna University, a master’s degree and doctorate in materials science from Kansas State University, and a master’s degree in business administration from the Graduate School of Business at the University of Kansas.

Mr. Perlman leads software development, security, technical integration, and IT. His scope includes software design and development for customer service agent, field technician, and customer self-service applications. Mr. Perlman joined Charter as a Senior Vice President in 2016, initially overseeing Video and Shared Software Services. He added Video Engineering, Voice Engineering, Lab Infrastructure and Deployment Support to his team in 2019. Before joining Charter, Mr. Perlman served as Chief information Officer for Bright House Networks, where he oversaw all of IT including Billing System Management, Software Development, Online Development, Internal IT, Information Security, and other functions. Prior to that, he held various IT roles at CenturyLink. Mr. Perlman holds a bachelor of arts from Brown University and a master of business administration from the University of Colorado – Boulder Leeds School of Business.

Mr. Temm joined Charter in 2020 as Group Vice President, IT Security, where he maintained responsibility for cybersecurity across our IT infrastructure, leading cyber threat intelligence, vulnerability management, security operations, incident response, information security engineering and architecture, risk management and security awareness. Previously, Mr. Temm was Chief Information Risk Officer for the Financial Services-Information Sharing and Analysis Center (FS-ISAC) where he collaborated with global financial services companies – foremost cybersecurity providers, law enforcement and government agencies – to protect the financial services sector against cyber and physical threats while coordinating responses to sector-wide incidents. Prior to FS-ISAC, Mr. Temm spent nearly two decades with Mastercard, serving in various leadership roles in cybersecurity, corporate security, network operations and debit operations. He holds a bachelor of science in business administration from Lindenwood University, where he graduated with Great Distinction. He is also a Certified Information Systems Security Professional ("CISSP").