COMCAST CORP - (CMCSA)

10-K Filing Date: January 31, 2024
Item 1C: Cybersecurity
Our management, with involvement and input from our Board of Directors, performs an annual enterprise-wide risk management (“ERM”) assessment to identify and manage key existing and emerging risks for our company. Our ERM process assesses the characteristics and circumstances of the evolving business environment at the time and seeks to identify both the potential impacts to our company of a particular risk and the velocity with which the risk may manifest (e.g., rapidly in less than three months or more slowly in more than twelve months). Our senior executive management team has the overall responsibility for, and oversight of, our ERM process, and an ERM steering committee manages the process, with one or more senior business executives then monitoring and managing each of the identified risks. Cybersecurity is among the risks identified for Board-level oversight as a result of our most recent ERM assessment, with our Audit Committee of the Board being responsible for overseeing our policies, practices and assessments with respect to cybersecurity.
The Board and/or our Audit Committee receive regular updates throughout the year on cybersecurity. Each of our Board and Audit Committee separately receives an annual report on cybersecurity matters and related risk exposures from our primary businesses’ Chief Information Security Officers (“CISOs”) and Chief Technology Officers or other similar officers (“CTOs”). When covered during an Audit Committee meeting, the chair of the Audit Committee reports on its discussion to the full Board. Our Audit Committee also receives regular updates on our cybersecurity posture throughout the year, as appropriate.
In addition to this Board-level oversight, our Cybersecurity Leadership Council (“CLC”) oversees our cybersecurity strategy and is responsible for overseeing and managing our cybersecurity risk. The CLC includes our Chief Financial Officer (“CFO”), Chief Legal Officer, head of Internal Audit, and lead internal securities counsel, as well as the CISOs, CTOs, CFOs and General Counsels of our primary businesses. Given the complex and varied nature of our businesses, the Connectivity & Platforms and Content & Experiences businesses each have a dedicated CISO who we believe is appropriately qualified to assess and manage cybersecurity risks. The Connectivity & Platforms CISO has served in various roles in product security and privacy at our company since 2016, held various leadership and technical positions in Fortune 500 companies before joining our company, and has educational degrees in computer science and electrical engineering. The Content & Experiences CISO has served in various roles in information security at our company since 2018, held various roles in managing security operation center service portfolios and information security before joining our company, and has educational degrees in management and business organizational management and management information systems and services.
The CLC conducts regular meetings throughout the year during which CISOs provide updates and report on meaningful cybersecurity risks, threats, incidents and vulnerabilities in accordance with the CLC’s reporting framework, as well as related priorities, mitigation and remediation activities, financial and employee resource levels, regulatory compliance, technology trends and third-party provider risks. To help inform this reporting framework, our primary businesses maintain incident response plans and other policies and procedures designed to respond to, mitigate and remediate cybersecurity incidents according to a defined set of severity ratings based on the potential impact to our business, information technology systems, network or data, including data held or information technology (“IT”) services provided by third-party vendors or other service providers.
Network and information systems and other technologies, including those that are related to our network management, customer service operations and programming delivery and are embedded in our products and services, are critical to our business activities. We also obtain certain confidential, proprietary and personal information about our customers, personnel and vendors, that in many cases is provided or made available to third-party vendors who agree to protect it. As a result, we have multiple layers of security designed to detect and block cybersecurity events, as well as a dedicated team of cybersecurity personnel, which assist our CISOs in helping to assess, identify, monitor, detect and manage cybersecurity risks, threats, vulnerabilities and incidents. In the normal course, we engage assessors, consultants and other third parties to assist in various cyber-related matters. For example, an outside consulting firm conducts a National Institute of Standards and Technology and International Organization for Standardization based cybersecurity capability maturity assessment every three years, which is reviewed with the Audit Committee, and our security teams leverage third-party advisors, as appropriate. We also perform penetration tests, data recovery testing, security audits and risk assessments throughout the year. Our cybersecurity program also incorporates intelligence sharing capabilities about emerging threats within the telecommunications industry and other industries through collaboration with peer companies and specialized consultants and through public-private partnerships with government intelligence agencies. We hold cybersecurity trainings for our employees and request that key vendors do the same.
Comcast 2023 Annual Report on Form 10-K
28

However, while we develop and maintain systems, and operate programs that seek to prevent security incidents from occurring, these systems and programs must be constantly monitored and updated in the face of sophisticated and rapidly evolving attempts to overcome our security measures and protections. The occurrence of both intentional and unintentional incidents has caused, and could cause in the future, a variety of adverse business impacts. See “Item 1A: Risk Factors” above for additional information on risks related our business, including for example risks related to cyber attacks, information and system breaches, and technology disruptions and failures; our reliance on using and protecting certain intellectual property rights; keeping pace with technological developments; legal and regulatory developments; and obtaining hardware, software and operational support from third-party vendors.