CHARTER COMMUNICATIONS, INC. /MO/ 10-K Cybersecurity GRC - 2025-01-31

Page last updated on January 31, 2025

CHARTER COMMUNICATIONS, INC. /MO/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-31 07:02:28 EST.

Filings

10-K filed on 2025-01-31

CHARTER COMMUNICATIONS, INC. /MO/ filed a 10-K at 2025-01-31 07:02:28 EST
Accession Number: 0001091667-25-000034

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Risk Management and Strategy Cybersecurity risks are classified as a Tier 1 risk within our enterprise risk management program. We are committed to protecting the security and integrity of our systems, networks, databases and applications. We routinely invest to develop and implement numerous cybersecurity programs and processes, including risk management and assessment programs, security and event monitoring capabilities, detailed incident response plans, and other advanced detection, prevention and protection 30 capabilities, including practices and tools to monitor and mitigate insider threats. We regularly assess cybersecurity risks to identify and enumerate threats to us and vulnerabilities these threats can exploit to adversely impact our business operations. In some instances, we engage third parties to conduct or assist us with conducting cybersecurity risk assessments. Our cybersecurity program employs various risk-tracking tools, industry data, monitoring, detection and response tools, vulnerability scanning, security dashboards and scorecards and other tools to support our continued evaluation of cybersecurity threats and regulatory requirements. Our cybersecurity program addresses the continuously evolving and extensive attack vectors and methods through layered security controls informed by constant threat analysis. Threats include a wide variety of perpetrators aiming for political, personal or financial gain, utilizing a broad set of tactics including ransomware, advanced malware, DDoS, account takeover, phishing/SMSing and social engineering, among others. These risks threaten our internal systems as well as third-party systems that we use and rely upon for the delivery of services and support of our operations. Our risk mitigation techniques include technology risk management, network segmentation, deployment of enhanced detection tools across our network, systems, databases, and applications and monitoring compliance with security standards. Various security standards provide guidance to telecommunications companies in order to help identify and mitigate cybersecurity risks, including the voluntary framework released by the National Institute for Standards and Technology (“NIST”) in 2014 and updated in 2018, in cooperation with other federal agencies and owners and operators of U.S. critical infrastructure. The NIST cybersecurity framework provides a prioritized and flexible model for organizations to identify and manage cyber risks inherent to their business. Our security infrastructure is comprised of multiple security capabilities designed with a defense-in-depth model informed by the NIST cybersecurity framework, as well as a variety of other industry standards and best practices. The risk-based approach of the NIST cybersecurity framework has enabled us to implement cybersecurity programs tailored to our particular network architectures, customer environments and institutional resources. Our cybersecurity risk management program also attempts to assess third-party vendor, service provider, business partner and supply chain risk management issues. Our efforts aim to better understand the cybersecurity posture of our third-party vendors, service providers, business partners and suppliers by analyzing their cybersecurity risk management programs. Our third-party cybersecurity risk management processes include reviewing and revising our service provider and vendor management programs and the related agreements to require prompt notification of cyber incidents, outages and software vulnerabilities to facilitate timely assessment and disclosure of third-party cyber risks. Generally, our agreements require our third-party providers to abide by specific privacy, confidentiality and security processes, particularly for third-party data-processing activities. For vendors that offer software as a service solutions involving personal information, our third-party risk management program generally requires third-party attestation of their security practices such as a System and Organization Controls 2 report or ISO27001 certification. Our due diligence and selection processes also require third parties to complete a cybersecurity and data privacy questionnaire that includes questions about contractor track record. Our third-party security reviews are limited by their disclosures; therefore, a risk-based approach is used in making vendor and contractual decisions based on those disclosures and the totality of the circumstances, such as whether the third party will have access to personal information or our network. As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition. For further discussion of cybersecurity risks, see “Part I. Item 1A. Risk Factors - Risks Related to Our Business - Various events could disrupt or result in unauthorized access to our networks, information systems or properties and could impair our operating activities and negatively impact our reputation and financial results.” Governance Our organizational objectives are aligned to address our cybersecurity risks and management plays a pivotal role in assessing and managing our material risks from cybersecurity threats. Management’s role in assessing and managing material cybersecurity risks includes various management positions and committees responsible for assessing such risks. Our internal processes require escalation of material cybersecurity risks to our executive leadership and Charter’s Board of Directors, as well as management and committees who are tasked with the prevention, detection, mitigation and remediation of cybersecurity incidents. These processes provide guidance for consistent and effective incident handling and response and set standards for internal notifications and escalations, as well as external notification considerations with respect to a cybersecurity event or incident requiring disclosure or notification to a state and/or federal agency or affected customers. Charter’s Board of Directors has delegated to the Audit Committee oversight of our privacy and data security, including cybersecurity, risk exposures, policies and practices, including the steps management have taken to detect, monitor and control such risks and the potential impact of those exposures on our business, financial results, operations and reputation. Charter’s 31 Audit Committee receives quarterly updates on the enterprise risk management program, including information on cybersecurity risks and initiatives undertaken to identify, assess and mitigate such risks. This cybersecurity reporting may include threat and incident reporting, vulnerability detection reporting, risk mitigation metrics, systems and security operations updates or internal audit observations, if applicable. We have a unified cybersecurity leadership team, composed of members of our Security Executive Steering Committee (“Security ESC”) to oversee implementation of appropriate cybersecurity protections and promote accountability. The Security ESC is led by senior executives in our information technology (“IT”) and technology operations groups and is comprised of senior executive leaders across the organization with the goal of driving cybersecurity focus through not just technical teams, but the entire business. The Security ESC reviews and evaluates current cyber threats and risks and improvements to our program and provides quarterly updates to the Chief Executive Officer as well as ad hoc updates on urgent matters. We also have a Cyber Security Council (“CSC”) and Security Operations Steering Committee that, under the direction of the Security ESC, collectively focus on cybersecurity across Charter and the overall protection of our internal network and related processes, policy, training and actions to protect customer and employee data. The CSC is comprised of senior leaders across the organization and operates under the auspices of the Security ESC, which is ultimately accountable under our enterprise risk management program for cybersecurity. Our Executive Vice President, Technology Operations and our Executive Vice President, Software Development & IT collectively oversee our cybersecurity program. Our Executive Vice President, Technology Operations is responsible for operating our customer product technology infrastructure across our 41-state footprint. He has served in various network operations roles at Charter since 2016 and previously held various engineering roles at other large public companies. Our Executive Vice President, Software Development & IT leads software development, security, technical integration, and IT. He has served in various software and engineering roles at Charter since 2016, and has previously held various IT roles, including chief information officer, at other telecommunications companies. Our Chief Information Security Officer (“CISO”) is a Certified Information Systems Security Professional and has served in various roles in information security at Charter since 2020. He has over two decades of experience in cybersecurity, corporate security and network operations, including cyber threat intelligence, vulnerability management, security operations, incident response, information security engineering and architecture, risk management and security awareness.

Company Information