QWEST CORP 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

QWEST CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:19:46 EST.

Filings

10-K filed on 2025-02-20

QWEST CORP filed a 10-K at 2025-02-20 16:19:46 EST
Accession Number: 0000068622-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy As a technology and communications company that globally transmits large amounts of information over our networks, we recognize the critical importance of maintaining the security and integrity of information and systems under our control. We view cybersecurity risk as one of our principal enterprise-wide risks, subject to control and monitoring at various levels of management throughout the Company. We dedicate significant resources towards programs designed to identify, assess, manage, mitigate and respond to cybersecurity threats. As described in Item 1A “Risk Factors,” several features of our operations heighten our susceptibility to cyber-attacks, including (i) our material reliance on systems owned, operated or controlled by unaffiliated third-party operators and (ii) our processing and storage of large amounts of sensitive customer data. Cyber-attacks on our systems may be initiated by a wide variety of intruders, including employees, cyber-criminals, nation state actors and other advanced persistent threat actors, and may include attempts by outside parties to gain access to sensitive data that is stored in or transmitted across our network. Cyber-attacks can take many forms, including computer hackings, computer viruses, ransomware, worms or other destructive or disruptive software, denial of service attacks, or other malicious activities. To identify, assess and mitigate cybersecurity risk, we have implemented a global information security management program that includes administrative, technical, and physical safeguards. This program seeks to identify, detect, protect and respond to threats to our information systems. Our security operations center provides advanced threat detection and response capabilities. Lumen maintains an insider threat program to detect, investigate and mitigate insider threat risks to Lumen assets, data, services and personnel globally. Our cybersecurity and privacy policies encompass information security, incident response procedures, and vendor management. Our risk management team works closely with our information technology, privacy, product, and operations departments to continuously evaluate emerging cyber risk. We monitor existing or proposed cybersecurity and privacy laws, regulations and guidance that are or may be applicable to us in the regions where we operate, including in the European Union and the United Kingdom where we are subject to the GDPR, as well as various other laws governing privacy rights, data protection and cybersecurity in other regions. As a U.S. government contractor, we are required to comply with extensive governmental regulations and standards regarding cyber security. Lumen periodically engage both internal and external auditors and consultants to assess and enhance our program. These independent external auditors and consultants are accredited under various information security standards, including those administered by the International Organization for Standardization and the PCI Security Standards Council. These engagements typically include penetration testing, third-party certifications, compliance assessments, audits, and assessments of vulnerabilities and emerging threats. We also periodically deploy our Internal Audit processes to conduct additional reviews and assessments. We also mutually exchange threat intelligence with government agencies, cyber analysis centers and cybersecurity associations. As noted elsewhere in this annual report, we are materially reliant on a variety of third-party service providers to operate our business, which exposes us to the risk of cyber incidents impacting those providers’ systems. We have a vendor risk management program that assesses, manages and oversees risks associated with third-party service providers who have access to our data and systems. We maintain ongoing monitoring to ensure their compliance with our cybersecurity standards. Despite our efforts to prevent security incidents, (i) some of these attacks have resulted in security incidents (although thus far we do not believe that any of these incidents has resulted in a material adverse effect on our operating results or financial condition) and (ii) future security incidents are likely (some of which could have a material adverse effect on operating results or financial condition). See Item 1A “Risk Factors” for a further discussion of cybersecurity risks. 27 Lumen maintains an Incident Response Playbook that provides a set of guidelines for our stakeholders to follow when handling any data incident. This playbook describes how we assess incidents and how our security team shares information about such incidents with others at Lumen, including senior leadership and, if warranted, with some or all members of its Board of Directors. These escalation provisions, together with Lumen’s disclosure controls and procedures, are designed to ensure that appropriate representatives throughout the Company are available to assess how to respond to such incidents and make any necessary public notifications. The Cybersecurity Incident Response Team (“CIRT”) is responsible for detecting and coordinating responses to all security incidents. This team regularly assesses its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss response options. The CIRT also addresses each incident, unless it determines that an incident is sufficiently serious. In those instances, it will notify the Cyber Security Watch Team (“CSWAT”), which is responsible for addressing cybersecurity incidents that raise more significant risks. The CSWAT is comprised of senior IT, operations, risk, legal and compliance leaders across business segments. In addition to addressing our more significant cyber incidents, the CSWAT manages risks from matters related to business continuity, including risks posed by cybersecurity threats, and implements controls to mitigate such operational risks. Among other processes, this team reviews our programs and processes related to information security, third-party risk, vendor management, facilities, unplanned downtime, business disruption, business continuity and disaster recovery. Governance As part of our overall risk management approach, Lumen prioritizes the identification and management of cybersecurity risk at several levels, including Board oversight, executive commitment and employee training. Lumen’s Risk and Security Committee , comprised of independent directors from its Board, assists the Board in overseeing our cybersecurity and data privacy risk. Specifically, our Risk and Security Committee, which meets quarterly, (i) receives periodic reports from Lumen’s Chief Security Officer (“CSO”) on security programs, including incident reports, (ii) reviews cybersecurity risk assessments from information security, privacy, and internal audit management teams, including the adequacy and effectiveness of the Company’s internal controls regarding cybersecurity; (iii) reviews emerging cybersecurity developments and threats; (iv) reviews compliance with applicable laws and industry standards; and (v) periodically reviews our strategy to mitigate cybersecurity risks, such as our cyber insurance coverage and contingency plans in the event of security incidents or other system disruptions. At least quarterly, the Risk and Security Committee provides reports to the full Board regarding matters recently discussed by the Committee, which enables the full Board to provide additional oversight of our cyber risks and cyber processes. The full Board also reviews our cybersecurity risks in connection with its annual review of our enterprise risk mitigation programs. Lumen’s CSO has extensive experience working in the public and private sectors leading security organizations, managing risk management functions, and driving large information technology deployments. He has an Engineering degree, a Master of Business Administration, a Chief Information Security Officer Certification, and a Global Information Assurance Certification Security Leadership Certification. He oversees the implementation and compliance of our information security standards and mitigation of information security related risks. Lumen’s cybersecurity organization includes a response team and management level committees who support our processes to assess and manage cybersecurity risk as follows: - At the day-to-day operational level, Lumen maintains an experienced information security team who are tasked with implementing our privacy and cybersecurity program and support the CSO in implementing our detection, reporting, security and mitigation functions. This team and the CSO work to develop and implement tools and processes designed to assist in identifying, containing and remediating cybersecurity incidents, and periodically retain consultants to assist with these activities. Lumen generally seeks to promote a company-wide awareness of cybersecurity risk through broad-based communications and educational initiatives, including regularly conducting phishing tests and holding employee trainings on our privacy, cybersecurity and information management policies, at least annually and more frequently when legal or other developments warrant. 28 - The Technology, Security, and Privacy Council, co-chaired by the CSO, the Chief Information Officer (CIO), and the Chief Privacy Officer (CPO), leverages the combined expertise of various security, IT, legal, internal audit, and operational leaders across the company. This council provides a forum for these cross-functional members of management of our leadership team to consider emerging technologies, such as artificial intelligence and emerging cybersecurity risks; review cybersecurity and privacy regulations; review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise. Members of this council are responsible for reporting on cybersecurity and privacy risks to the Risk Oversight Committee (“ROC”). - The ROC, whose core members include our Chief Financial Officer, Chief Technology and Product Officer, Executive Vice President of Enterprise Operations, and Chief Legal Officer, oversees our company-wide risk mitigation strategies. With respect to cyber risks, the ROC’s oversight function helps to ensure accountability, adequacy of resourcing, implementation of Company directives, and alignment of oversight provided by our Board of Directors and our senior leadership team. Some of the more significant risks discussed by the ROC are also reported to our Risk and Security Committee at least quarterly.

Company Information