SIRIUS XM HOLDINGS INC. - (SIRI)

10-K Filing Date: February 01, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
32

As part of our enterprise risk assessment function, which is led by our Senior Vice President and head of Internal Audit, we have implemented processes to assess, identify and manage the material risks facing the company, including from cyber threats. Our enterprise risk assessment function is part of our overall risk management processes. Our cybersecurity program is built upon internationally recognized frameworks, such as ISO 27001, and maps to standards published by The National Institute of Standards and Technology. We believe that our processes provide us with a comprehensive assessment of potential cyber threats. We conduct regular scans, penetration tests, and vulnerability assessments to identify any potential threats or vulnerabilities in our systems. Our processes to assess, identify and manage the material risks from cyber threats include the risks arising from threats associated with third party service providers, including cloud-based platforms.
We have developed a robust cyber crisis response plan which provides a documented framework for handling high severity security incidents and facilitates coordination across multiple parts of the company. Our incident response team constantly monitors threat intelligence feeds, handles vulnerability management and responds to incidents. In addition, we routinely perform simulations and drills at both a technical and management level.
Internally, we have a security awareness program which includes training that reinforces our information technology and security policies, standards and practices, and we require that our employees comply with these policies. The security awareness program offers training on how to identify potential cybersecurity risks and protect our resources and information. This training is mandatory for all employees on an annual basis, and it is supplemented by testing initiatives, including periodic phishing tests. We also provide specialized security training for certain employee roles, such as application developers. Finally, our privacy program requires all employees to take periodic awareness training on data privacy. This training includes information about confidentiality and security, as well as responding to unauthorized access to or use of information.
From time to time, we engage third-party service providers to enhance our risk mitigation efforts. For instance, we have routinely engaged an independent cybersecurity advisor to lead a cybersecurity crisis simulation exercise that has been used by our senior leaders to prepare for a possible cyber crisis. In addition, we have engaged: Novacoast, an international cybersecurity company specializing in IT services and software development, to augment our monitoring and detection efforts; Synopsys, Inc., a leader in electronic design automation, to perform our external penetration testing and vulnerability assessment; Recorded Future, one of the world’s largest intelligence companies, and Mandiant, a recognized leader in cyber defense, threat intelligence and incident response services, to provide threat intelligence and analysis services; and Mandiant to augment our incident response ability and provide forensic services. We also purchase insurance to protect us against the risk of cybersecurity breaches. Our Senior Vice President and Treasurer is responsible for our insurance programs and reviews on a regular basis our cyber insurance policies and assesses whether we have appropriate coverage.
To date, risks from cybersecurity threats have not previously materially affected us, and we currently do not expect that the risks from cybersecurity threats are reasonably likely to materially affect us, including our business, strategy, results of operations or financial condition. That said, as discussed more fully under “Item 1A – Risk Factors”, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security breaches of these types, including security threats that may result from third parties improperly employing AI technologies, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.
Governance
Role of the Board
The Audit Committee of the Board of Directors is responsible for the primary oversight of our information security programs, including relating to cybersecurity. The Audit Committee receives regular reports from our Chief Product and Technology Officer, Chief Information Security Officer and the Chief Information Officer on, among other things, our cyber risks and threats, the status of projects to strengthen our information security systems, assessments of our security program, and our views of the emerging threat landscape. Our Senior Vice President and head of Internal Audit reports directly to the Audit Committee and is responsible for reporting to the Committee on our company-wide enterprise risk assessment, and that assessment also includes an evaluation of cyber risks and threats. The Chair of the Audit Committee regularly reports to the Board on cybersecurity risks and other matters reviewed by the Committee. In addition, the Board receives separate presentations on cybersecurity risk from our Chief Product and Technology Officer. Furthermore, all Board members are invited to attend each Audit Committee meeting and have access to the materials for each Audit Committee meeting.
As a matter of process, the Audit Committee annually reviews, and recommends to the Board its approval of, our information security policy and information security program. Furthermore, on an annual basis, the Board reviews and discusses our technology strategy with our Chief Product and Technology Officer and approves our technology strategic plan.
Role of management
33

Our Chief Information Security Officer, together with our Chief Product and Technology Officer and Chief Information Officer, is responsible for the day-to-day management of our cybersecurity risks. We have established a Security Council, which includes our Chief Executive Officer, Chief Commercial Officer, Chief Product and Technology Officer, Chief Information Security Officer, Chief Information Officer, Chief Financial Officer, General Counsel and other senior officers, that meets on at least a quarterly basis to review cybersecurity and information security matters. The Security Council has primary management oversight responsibility for assessing and managing information security, fraud, vendor, data protection and privacy, and cybersecurity risks.
We have a security incident response framework in place. We use this incident response framework as part of the process we employ to keep our management and Board of Directors informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. The framework is a set of coordinated procedures and tasks that our incident response team, under the direction of the Chief Information Security Officer, executes with the goal of ensuring timely and accurate resolution of cybersecurity incidents. Our cybersecurity framework includes regular compliance assessments with our policies and standards and applicable state and federal statutes and regulations. In addition, we validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits.
Our Chief Information Security Officer, Chief Product and Technology Officer and Chief Information Officer each have extensive experience in the information technology area. In particular, our Chief Information Security Officer has over twenty years of professional experience in the information security area, including as a result of his service as the director of security, a security architect and a software security engineer at companies such as Squarespace, Verizon Media (Oath), Tumblr, Bridgewater Associates and EMC; our Chief Product and Technology Officer has twenty eight years of professional experience in the information security area; and our Chief Information Officer has twenty three years of professional experience in the information security area.
34