TELEPHONE & DATA SYSTEMS INC /DE/ 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

TELEPHONE & DATA SYSTEMS INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 08:00:26 EST.

Filings

10-K filed on 2025-02-21

TELEPHONE & DATA SYSTEMS INC /DE/ filed a 10-K at 2025-02-21 08:00:26 EST
Accession Number: 0001051512-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity of this Form 10-K for additional information. 28) Disruption in credit or other financial markets, a deterioration of U.S. or global economic conditions or other events could, among other things, impede TDS’ access to or increase the cost of financing its operating and investment activities and/or result in reduced revenues and lower operating income and cash flows, which would have an adverse effect on TDS’ business, financial condition or results of operations. Disruptions in the credit and financial markets, declines in consumer confidence, increases in unemployment, declines in economic growth, increased tariffs on import goods, sudden increases in inflation and uncertainty about corporate earnings could have a significant negative impact on the U.S. and global financial and credit markets and the overall economy. Such events could have an adverse impact on financial institutions resulting in limited access to capital and credit for many companies. Furthermore, economic uncertainties make it very difficult to accurately forecast and plan future business activities. Changes in economic conditions, changes in financial markets, changes in U.S. trade policies, deterioration in the capital markets or other factors could have an adverse effect on TDS’ business, financial condition, revenues, results of operations and cash flows. 29) The impact of public health emergencies on TDS’ business is uncertain, but depending on duration and severity could have a material adverse effect on TDS’ business, financial condition or results of operations. Public health emergencies pose the risk that TDS or its associates, agents, partners and suppliers may be unable to conduct business activities for an extended period of time and/or provide the level of service expected. TDS’ ability to attract customers, maintain an adequate supply chain and execute on its business strategies and initiatives could be negatively impacted by public health emergencies. Additionally, public health emergencies could cause increased unemployment and an economic downturn, both of which could negatively impact TDS. The extent of the impact of public health emergencies on TDS’ business, financial condition and results of operations will depend on the severity and duration of the emergency, actions taken by governmental authorities and other possible direct and indirect consequences, all of which are uncertain and cannot be predicted . Item 1B. Unresolved Staff Comments None. Item 1C. Cybersecurity The TDS information security program is based on a defense-in-depth approach and aligns with the National Institute of Standards and Technology (NIST) cybersecurity framework. Security control and maturity assessments are conducted periodically leveraging this standard. TDS also leverages internal and external auditors and consultants to perform independent assessments and tests of security controls. The assessment results are used to drive continuous improvement in the TDS cybersecurity control environment, as well as to manage potential data security risks of third-party service providers. TDS identifies risks across the threat and vulnerability landscape using various commercial, government, vendor and publicly available information sources and tools. Risks related to third-party providers who have access to TDS data and systems are identified, assessed and managed through a formal third-party risk assessment process. Third-parties who access sensitive company or customer information are contractually obligated to meet specific privacy and security requirements. The TDS security operations program includes active monitoring of the internal data environment and regular assessment of the environments of third-party service providers who manage sensitive data. In addition, TDS security leaders conduct regular cyber incident simulations to ensure preparedness in the event of a cyber-attack and further test potential risks. Identified risks are evaluated against a risk classification framework to direct remediation, mitigation and management efforts based on severity. Cybersecurity risks are integrated into the TDS Enterprise Risk Management (ERM) program with updates provided on a quarterly basis. The TDS Chief Information Security Officer (CISO) and UScellular Senior Vice President of Information Technology are responsible for assessing and managing cybersecurity risks. Each has over twenty years of experience at the company, encompassing network engineering, information technology and cyber security. Management has a depth of cybersecurity experience focused on increasing the organization’s resilience to security threats and stays current on new developments through continuing education and monitoring of the cybersecurity landscape. As part of their accountability for incident response, significant incidents are communicated to an internal committee including the Chief Financial Officer and general counsel to assess their materiality and if materiality is confirmed it is reported by the defined process. To date TDS has not identified nor become aware of any cybersecurity incidents that individually or in aggregate have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition. The full Board of Directors engages in oversight of TDS’ cybersecurity risks. The Board of Directors receives regular updates from management on technology and security updates and TDS’ assessment of cybersecurity threats and mitigation plans. The TDS CISO and UScellular Senior Vice President of Information Technology provide the full Board of Directors an annual update and discussion of the cybersecurity program. The TDS Audit Committee oversees the processes over internal controls and financial reporting that includes controls and procedures that are designed to ensure that significant cybersecurity incidents are communicated to both senior management and the Audit Committee. The Audit Committee meets with the TDS CISO and UScellular Senior Vice President of Information Technology at least two times per year. Cybersecurity is also discussed with the Technology Advisory Group of the Board of Directors as warranted, typically on an annual basis.
Item 1C. Cybersecurity The TDS information security program is based on a defense-in-depth approach and aligns with the National Institute of Standards and Technology (NIST) cybersecurity framework. Security control and maturity assessments are conducted periodically leveraging this standard. TDS also leverages internal and external auditors and consultants to perform independent assessments and tests of security controls. The assessment results are used to drive continuous improvement in the TDS cybersecurity control environment, as well as to manage potential data security risks of third-party service providers. TDS identifies risks across the threat and vulnerability landscape using various commercial, government, vendor and publicly available information sources and tools. Risks related to third-party providers who have access to TDS data and systems are identified, assessed and managed through a formal third-party risk assessment process. Third-parties who access sensitive company or customer information are contractually obligated to meet specific privacy and security requirements. The TDS security operations program includes active monitoring of the internal data environment and regular assessment of the environments of third-party service providers who manage sensitive data. In addition, TDS security leaders conduct regular cyber incident simulations to ensure preparedness in the event of a cyber-attack and further test potential risks. Identified risks are evaluated against a risk classification framework to direct remediation, mitigation and management efforts based on severity. Cybersecurity risks are integrated into the TDS Enterprise Risk Management (ERM) program with updates provided on a quarterly basis. The TDS Chief Information Security Officer (CISO) and UScellular Senior Vice President of Information Technology are responsible for assessing and managing cybersecurity risks. Each has over twenty years of experience at the company, encompassing network engineering, information technology and cyber security. Management has a depth of cybersecurity experience focused on increasing the organization’s resilience to security threats and stays current on new developments through continuing education and monitoring of the cybersecurity landscape. As part of their accountability for incident response, significant incidents are communicated to an internal committee including the Chief Financial Officer and general counsel to assess their materiality and if materiality is confirmed it is reported by the defined process. To date TDS has not identified nor become aware of any cybersecurity incidents that individually or in aggregate have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition. The full Board of Directors engages in oversight of TDS’ cybersecurity risks. The Board of Directors receives regular updates from management on technology and security updates and TDS’ assessment of cybersecurity threats and mitigation plans. The TDS CISO and UScellular Senior Vice President of Information Technology provide the full Board of Directors an annual update and discussion of the cybersecurity program. The TDS Audit Committee oversees the processes over internal controls and financial reporting that includes controls and procedures that are designed to ensure that significant cybersecurity incidents are communicated to both senior management and the Audit Committee. The Audit Committee meets with the TDS CISO and UScellular Senior Vice President of Information Technology at least two times per year. Cybersecurity is also discussed with the Technology Advisory Group of the Board of Directors as warranted, typically on an annual basis.

Company Information