UNITED STATES CELLULAR CORP 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

UNITED STATES CELLULAR CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 07:50:59 EST.

Filings

10-K filed on 2025-02-21

UNITED STATES CELLULAR CORP filed a 10-K at 2025-02-21 07:50:59 EST
Accession Number: 0000821130-25-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity of this Form 10-K for additional information. 28) Disruption in credit or other financial markets, a deterioration of U.S. or global economic conditions or other events could, among other things, impede UScellular’s access to or increase the cost of financing its operating and investment activities and/or result in reduced revenues and lower operating income and cash flows, which would have an adverse effect on UScellular’s business, financial condition or results of operations. Disruptions in the credit and financial markets, declines in consumer confidence, increases in unemployment, declines in economic growth, increased tariffs on import goods, sudden increases in inflation and uncertainty about corporate earnings could have a significant negative impact on the U.S. and global financial and credit markets and the overall economy. Such events could have an adverse impact on financial institutions resulting in limited access to capital and credit for many companies. Furthermore, economic uncertainties make it very difficult to accurately forecast and plan future business activities. Changes in economic conditions, changes in financial markets, changes in U.S. trade policies, deterioration in the capital markets or other factors could have an adverse effect on UScellular’s business, financial condition, revenues, results of operations and cash flows. 29) The impact of public health emergencies on UScellular’s business is uncertain, but depending on duration and severity could have a material adverse effect on UScellular’s business, financial condition or results of operations. Public health emergencies pose the risk that UScellular or its associates, agents, partners and suppliers may be unable to conduct business activities for an extended period of time and/or provide the level of service expected. UScellular’s ability to attract customers, maintain an adequate supply chain and execute on its business strategies and initiatives could be negatively impacted by public health emergencies. Additionally, public health emergencies could cause increased unemployment and an economic downturn, both of which could negatively impact UScellular. The extent of the impact of public health emergencies on UScellular’s business, financial condition and results of operations will depend on the severity and duration of the emergency, actions taken by governmental authorities and other possible direct and indirect consequences, all of which are uncertain and cannot be predicted. Item 1B. Unresolved Staff Comments None. Item 1C. Cybersecurity The UScellular information security program is based on a defense-in-depth approach and aligns with the National Institute of Standards and Technology (NIST) cybersecurity framework. Security control and maturity assessments are conducted periodically leveraging this standard. UScellular also leverages internal and external auditors and consultants to perform independent assessments and tests of security controls. The assessment results are used to drive continuous improvement in the UScellular cybersecurity control environment, as well as to manage potential data security risks of third-party service providers. UScellular identifies risks across the threat and vulnerability landscape using various commercial, government, vendor and publicly available information sources and tools. Risks related to third-party providers who have access to UScellular data and systems are identified, assessed and managed through a formal third-party risk assessment process. Third-parties who access sensitive company or customer information are contractually obligated to meet specific privacy and security requirements. The UScellular security operations program includes active monitoring of the internal data environment and regular assessment of the environments of third-party service providers who manage sensitive data. In addition, UScellular security leaders conduct regular cyber incident simulations to ensure preparedness in the event of a cyber-attack and further test potential risks. Identified risks are evaluated against a risk classification framework to direct remediation, mitigation and management efforts based on severity. Cybersecurity risks are integrated into the UScellular Enterprise Risk Management (ERM) program with updates provided on a quarterly basis. The Senior Vice President of Information Technology is responsible for assessing and managing cybersecurity risks. He has over twenty years of experience at the company, encompassing network engineering, information technology and cyber security. Management has a depth of cybersecurity experience focused on increasing the organization’s resilience to security threats and stays current on new developments through continuing education and monitoring of the cybersecurity landscape. As part of their accountability for incident response, significant incidents are communicated to an internal committee including the Chief Financial Officer and general counsel to assess their materiality and if materiality is confirmed it is reported by the defined process. To date UScellular has not identified nor become aware of any cybersecurity incidents that individually or in aggregate have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition. The full Board of Directors engages in oversight of UScellular’s cybersecurity risks. The Board of Directors receives regular updates from management on technology and security updates and UScellular’s assessment of cybersecurity threats and mitigation plans. The Senior Vice President of Information Technology provides the full Board of Directors an annual update and discussion of the cybersecurity program. The UScellular Audit Committee oversees the processes over internal controls and financial reporting that includes controls and procedures that are designed to ensure that significant cybersecurity incidents are communicated to both senior management and the Audit Committee. The Audit Committee meets with the Senior Vice President of Information Technology at least two times per year. Cybersecurity is also discussed with the Technology Advisory Group of the Board of Directors as warranted, typically on an annual basis.
Item 1C. Cybersecurity The UScellular information security program is based on a defense-in-depth approach and aligns with the National Institute of Standards and Technology (NIST) cybersecurity framework. Security control and maturity assessments are conducted periodically leveraging this standard. UScellular also leverages internal and external auditors and consultants to perform independent assessments and tests of security controls. The assessment results are used to drive continuous improvement in the UScellular cybersecurity control environment, as well as to manage potential data security risks of third-party service providers. UScellular identifies risks across the threat and vulnerability landscape using various commercial, government, vendor and publicly available information sources and tools. Risks related to third-party providers who have access to UScellular data and systems are identified, assessed and managed through a formal third-party risk assessment process. Third-parties who access sensitive company or customer information are contractually obligated to meet specific privacy and security requirements. The UScellular security operations program includes active monitoring of the internal data environment and regular assessment of the environments of third-party service providers who manage sensitive data. In addition, UScellular security leaders conduct regular cyber incident simulations to ensure preparedness in the event of a cyber-attack and further test potential risks. Identified risks are evaluated against a risk classification framework to direct remediation, mitigation and management efforts based on severity. Cybersecurity risks are integrated into the UScellular Enterprise Risk Management (ERM) program with updates provided on a quarterly basis. The Senior Vice President of Information Technology is responsible for assessing and managing cybersecurity risks. He has over twenty years of experience at the company, encompassing network engineering, information technology and cyber security. Management has a depth of cybersecurity experience focused on increasing the organization’s resilience to security threats and stays current on new developments through continuing education and monitoring of the cybersecurity landscape. As part of their accountability for incident response, significant incidents are communicated to an internal committee including the Chief Financial Officer and general counsel to assess their materiality and if materiality is confirmed it is reported by the defined process. To date UScellular has not identified nor become aware of any cybersecurity incidents that individually or in aggregate have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition. The full Board of Directors engages in oversight of UScellular’s cybersecurity risks. The Board of Directors receives regular updates from management on technology and security updates and UScellular’s assessment of cybersecurity threats and mitigation plans. The Senior Vice President of Information Technology provides the full Board of Directors an annual update and discussion of the cybersecurity program. The UScellular Audit Committee oversees the processes over internal controls and financial reporting that includes controls and procedures that are designed to ensure that significant cybersecurity incidents are communicated to both senior management and the Audit Committee. The Audit Committee meets with the Senior Vice President of Information Technology at least two times per year. Cybersecurity is also discussed with the Technology Advisory Group of the Board of Directors as warranted, typically on an annual basis.

Company Information