ADT Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

ADT Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:02:02 EST.

Company Summary

ADT is a security company that provides smart home solutions and business security.

Filings

10-K filed on 2025-02-27

ADT Inc. filed a 10-K at 2025-02-27 17:02:02 EST
Accession Number: 0001703056-25-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. We view cybersecurity as the prevention and timely detection and correction of any unauthorized occurrence or series of related unauthorized occurrences that are on or conducted through our information systems and that jeopardizes the confidentiality, integrity, or availability of our systems or any information residing therein. We believe that the safety, security, and privacy of our customers and employees are fundamental to the services we provide. Our cybersecurity policies guide us as we strive to continuously enhance methods, best practices, and technologies to better monitor and protect customer data and inform and enable customers to make choices about their data privacy. We carefully consider data privacy when developing our own products and when incorporating products provided by our business partners. Risk Management and Strategy We identify, assess, and manage cybersecurity risk as part of our company-wide enterprise risk management program. Our Chief Information Security Officer (“CISO”), Tim Rains, has more than 30 years of experience as an IT professional, with over 20 of those years spent in cybersecurity roles. Mr. Rains has held senior cybersecurity advisor roles at both Amazon Web Services and Microsoft. Mr. Rains has experience across multiple cybersecurity disciplines including vulnerability management, incident response, crisis communications, threat intelligence, cybersecurity architecture and operations, governance, risk, and compliance. Mr. Rains is designated as a Certified Information Systems Security Professional and is responsible for developing and implementing plans and strategies to mitigate cybersecurity risks. Our CISO also leads our cybersecurity risk assessment, which includes security posture scoring, vulnerability assessments, process maturity, and tooling coverage. We log cybersecurity risks into our cybersecurity risk register and track such risks for treatment. Management then discusses these cybersecurity risks for resolution planning and escalation. We leverage recognized cybersecurity frameworks to drive strategic direction and maturity improvement and engage third-party security experts as needed for risk assessments, risk mitigation actions, vulnerability identification, and program enhancements, as appropriate. 46 As part of this process, we use the following tools and procedures: - utilizing “SecurityScorecard” (a third-party information security company that rates cybersecurity postures of corporate entities for the purposes of third-party management and information technology risk management), which provides an independent external enterprise view of our security posture with a focus on public-facing systems ; - assessing, regularly developing, and executing on our preventative and detective controls, which we seek to align with current standards and best practices, including the incorporation of recommendations published by the National Institute of Standards and Technology in its cybersecurity framework, such as an annual audit of these internal controls; - performing attack and breach simulations; and - working with our cybersecurity vendors to adopt tooling and processes to provide high levels of protection. Governance Cybersecurity Management and Board Oversight Our Board of Directors, through its Audit Committee, has primary responsibility for overseeing cybersecurity risk management and receives updates on the status of our cybersecurity program from our CISO. These updates are provided at least once per year, and often multiple times per year, in a special Audit Committee session and includes reports on our security posture and SecurityScorecard assessment (rating and benchmarking), incident response, and vulnerability management. The Audit Committee reviews and discusses with management our cybersecurity threats, vulnerabilities, defenses, and planned responses, including updates to our cybersecurity incident response plan (“IRP”), which has been approved by the Audit Committee. Additionally, the Audit Committee receives and discusses reports from management with the purpose of identifying threats and vulnerabilities, and it monitors the effectiveness and progress of the actions and initiatives undertaken to mitigate such threats. Our cybersecurity program team is led by our CISO (who ultimately reports to the Chief Operating Officer). The cybersecurity leadership team (“CSLT”), which is chaired by our Chief Operating Officer and includes our Chief Financial Officer, Chief Legal Officer, Chief Information Officer, CISO, and Chief Privacy Officer, among others, collaborates with enterprise risk professionals and is supported by an established Information Security (“InfoSec”) function responsible for certain aspects of maintaining and monitoring our cybersecurity infrastructure. In addition, our Chief Privacy Officer, who reports to our Chief Legal Officer, manages processes and protections around our sensitive data and facilitates compliance with applicable data protection laws, rules, and regulations. Our Chief Privacy Officer has over 20 years of experience overseeing corporate data privacy and intellectual property policies and procedures. To maintain high levels of awareness and aptitude, all of our employees are required to complete annual trainings regarding current security risks and our InfoSec and privacy policies. Additional education and training are also required for specific groups based on their roles and access within the organization. Incident Response Plan and Cybersecurity Incident Materiality Assessment Policy We seek to align with industry-standard cybersecurity frameworks designed to protect our information systems and both Company and customer data from unintentional disclosure, cybersecurity incidents, events, and other threats of varying severity levels. As part of our alignment efforts with these frameworks, we maintain the IRP, which outlines the actions to be taken after identifying an incident that affects or could potentially affect our information systems and the people responsible for managing and overseeing those actions. Under the IRP, cybersecurity incidents are generally addressed by our Cybersecurity Incident Response Team (“CSIRT”), consisting of our CISO, deputy CISO, director of security operations, senior manager of incident response, and members of the security operations team. Incidents of higher severity are elevated to the CSLT. Under the IRP, if an incident requires the involvement of the CSLT, the CSIRT will regularly update the CSLT on the status of the incident response process. Members of the CSLT primarily, the Chief Operating Officer and CISO , will be responsible for updating the Chief Executive Officer, Audit Committee, and the lead independent director of our Board of Directors. Members of the CSIRT and CSLT, along with the Chief Executive Officer, Audit Committee, and the lead independent director of our Board of Directors regularly participate in cybersecurity incident tabletop exercises and event simulations. If a materiality assessment is required, an assessment committee consisting of the Chief Financial Officer, Chief Operating Officer, Chief Legal Officer, CISO, and Chief Accounting Officer (and/or their designee) (collectively, the “Assessment Committee”) will consult with the CSIRT and CSLT, as appropriate. The Assessment Committee is responsible for assessing, without unreasonable delay, the materiality of cybersecurity incidents reported to it, determining materiality and any necessary disclosures, and informing our disclosure committee of such determinations. In assessing materiality, the Assessment 47 Committee will consult with internal and external advisors, as appropriate, and evaluate quantitative and qualitative factors to assess the impact and/or reasonably likely impacts of the cybersecurity incident. For additional information regarding how cybersecurity threats have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition, see " Risk Factors- “: - “- Delays, costs, and disruptions that result from upgrading, integrating, and maintaining the security of our information and technology networks and systems could materially adversely affect us, " - “- If we do not effectively implement our plans to migrate our technology infrastructure to the cloud, we could experience significant disruptions in our operations, which could have a material adverse effect on our results of operations and financial condition, " - “- Cybersecurity attacks or threats or other unauthorized access or attempts to access to our systems, or those of third parties, have in the past, and may in the future, compromise the security of our systems and otherwise disrupt our normal operations, which could have a material adverse effect on our reputation, business, financial condition, results of operations and cash flows, " and - “- Our independent, third-party authorized dealers may not be able to mitigate certain risks such as information technology and data security breaches, product liability, errors and omissions, and compliance with applicable laws and regulations. "

Company Information