VERIZON COMMUNICATIONS INC 10-K Cybersecurity GRC - 2024-02-09

Page last updated on July 16, 2024

VERIZON COMMUNICATIONS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-09 10:51:34 EST.

Filings

10-K filed on 2024-02-09

VERIZON COMMUNICATIONS INC filed a 10-K at 2024-02-09 10:51:34 EST
Accession Number: 0000732712-24-000010

Item 1C. Cybersecurity.

Cybersecurity Program

Verizon’s comprehensive cybersecurity program is designed to identify and protect against cybersecurity risks and to position Verizon to rapidly detect, respond to, and recover from cybersecurity incidents that impact our company. The program is built on the following pillars:

Verizon has a comprehensive enterprise cybersecurity incident response plan, which is activated in the event of a cybersecurity incident. The plan is a detailed playbook that specifies how Verizon classifies, responds to, and recovers from cybersecurity incidents and includes notification procedures that vary depending on the significance of the incident. When warranted by the severity of the incident, our Chief Executive Officer and other senior executives are part of the notification chain.

Verizon validates enterprise cybersecurity maturity every two years through a third-party maturity assessment. This assessment measures Verizon’s ability to identify, prevent, detect, respond to, and recover from threats to systems, assets and data. The results of the assessment serve as the baseline for enterprise cybersecurity across the company. In addition to this baseline, certain subsets of our technology environment are subject to incremental cybersecurity certification and periodic third party validation under applicable regulatory or contractual requirements.

Integrated Cybersecurity Risk Management

Verizon’s Senior Vice President and Chief Information Security Officer (CISO) has responsibility for the management of cybersecurity risks at Verizon. The CISO and their team are responsible for Verizon’s information security strategy, policy, standards, architecture and processes.

The CISO brings nearly two decades of cybersecurity experience to their work at Verizon. Prior to joining Verizon, they held executive-level cybersecurity roles at other large public companies, where they were responsible for cybersecurity strategy and operations, including incident response, threat intelligence, security services, architecture, commercial operational technology security, and regulatory and compliance matters.

Verizon effectuates cybersecurity management by providing for close cooperation among the CISO’s team and other teams within the company, as well as by integrating cybersecurity risk into Verizon’s overall enterprise risk management structures and processes. Each of our business units and certain functional groups have a Business Information Security Officer, who is an integral member of that unit or group, but reports to the CISO. This structure provides the CISO with line of sight across the enterprise. The CISO and members of their leadership team also meet regularly with business unit senior leaders, including the CEO, the Chief Financial Officer and the Chief Human Resources Officer, to discuss business priorities, emerging threats and trends, and the performance of the cybersecurity program.

The Verizon Executive Security Council (VESC) oversees and evaluates the work of the CISO and their team. The VESC is jointly chaired by the presidents of Verizon Global Services and Global Networks and Technology and includes Verizon’s Chief Compliance Officer, Chief Legal Officer, Senior Vice President of Internal Audit and senior executives in business and technology functions. The VESC provides oversight of all aspects of Verizon’s cybersecurity program and, at regular intervals throughout the year, evaluates key cybersecurity metrics as well as planned and ongoing initiatives to reduce cybersecurity risks.

Verizon’s Management Audit Committee (VMAC), which includes our Chief Financial Officer, Senior Vice President of Internal Audit and other senior executives, is responsible for overseeing components of our overall risk management strategy. The VMAC receives quarterly updates from the CISO on Verizon’s cybersecurity program.

Verizon also operates a robust internal audit program. Each year, Verizon’s internal audit team conducts an overall business risk assessment, which includes an evaluation of cybersecurity risks. The results of the assessment are presented to the leaders of the relevant business teams, who are responsible for prioritizing and addressing the risks identified.

Board Oversight of Cybersecurity Risk

The Audit Committee of the Board of Directors (Board) has primary responsibility for overseeing Verizon’s risk management and compliance programs relating to cybersecurity and data protection and privacy.

As part of the Board’s oversight of risks from cybersecurity threats, the CISO leads an annual review and discussion with the full Board dedicated to Verizon’s cybersecurity risks, threats and protections. The CISO provides a mid-year update to this annual review to the Audit Committee and, as warranted, additional updates throughout the year. The Audit Committee also receives a report from senior management on Verizon’s cybersecurity posture and related matters at each of its other meetings during the year at which the CISO is not present.

Supplier Risk Management

We have implemented processes to identify and manage risks from cybersecurity threats associated with our use of third-party service providers. The Verizon Supplier Risk Management Program establishes governance, processes and tools for managing various supplier-related risks, including information security. As a condition of working with Verizon, suppliers who access sensitive business or customer information are expected to meet certain information security requirements.

Risks from Cybersecurity Threats

We are subject to increasing and evolving cybersecurity threats as cyber attacks against companies, including Verizon, have increased in frequency, scope and potential harm in recent years. While, to date, we have not been subject to cyber attacks that, individually or in the aggregate, have been material to Verizon’s operations or financial condition, there can be no guarantee that we will not experience such an incident in the future. For more information on the risks from cybersecurity threats that we face, refer to “Risk Factors - Operational Risks - Cyber attacks impacting our networks or systems could have an adverse effect on our business” in Part I, Item 1A of this Annual Report on Form 10-K.


Company Information

NameVERIZON COMMUNICATIONS INC
CIK0000732712
SIC DescriptionTelephone Communications (No Radiotelephone)
TickerVZ - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30