CINCINNATI BELL INC 10-K Cybersecurity GRC - 2025-03-18

Page last updated on March 19, 2025

CINCINNATI BELL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-18 17:08:57 EDT.

Filings

10-K filed on 2025-03-18

CINCINNATI BELL INC filed a 10-K at 2025-03-18 17:08:57 EDT
Accession Number: 0000950170-25-041396

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Security Program Overview The Company’s cybersecurity program is framework-based, risk-focused, and metrics-driven. It is supported by a comprehensive set of policies, procedures, and standards based on the NIST cybersecurity framework, encompassing administrative, physical, and technical safeguards. As a service provider and technology partner, we continuously undertake initiatives to address the following areas, ensuring a comprehensive security program. Security Governance - The Company’s Vice President and Chief Security Officer (CSO) regularly reports to the Board of Directors, providing updates on the threat and risk landscape and the management of cybersecurity incidents. Additionally, the Board has designated a subcommittee that meets quarterly to provide further oversight of the cybersecurity program. This subcommittee comprises board members and the executive leadership team. The CSO also leads a cross-functional, executive-level Security Council that meets quarterly to govern all aspects of the Company’s security program. The CSO joined altafiber in 2023 with over 20 years of cybersecurity experience in highly regulated industries and the government in identifying, managing, and mitigating cybersecurity risk. Previously, the CSO held an officer role at a large Fortune 500 financial services firm developing cybersecurity strategy and leading teams focused on risk management, security architecture and engineering, incident response, and threat intelligence. The CSO also serves on multiple advisory boards related to cybersecurity and is the current board chair for Miami University’s Center for Cybersecurity. Risk Management - The Company established an Enterprise Risk Management (ERM) Committee that employs the International Organization for Standardization (ISO) risk management standards. Members of the ERM Committee include the Company’s CSO, Chief Financial Officer, Chief Network Officer, Director of Safety and Risk Management and the Director of Internal Audit. The committee leverages a risk management tool to maintain a risk register, which systematically identifies, assesses, prioritizes, and manages risks within the enterprise. This structured approach enables us to conduct a formal, periodic risk assessment, ensuring the continuous enhancement of our security posture. In addition to threats, vulnerabilities, impacts and costs, the risk assessment process also identifies the costs and effectiveness of countermeasures and action plans to reduce risk . Security Awareness and Training - The Company established a security awareness program that focuses on individual employees’ impact to the overall security strength of the company. Through web-based and in-person training, surveys, and published literature, the Company continuously makes employees aware of the vital role they play in protecting both the Company and customers’ data. Phishing exercises are also periodically conducted to improve employee knowledge of and response to security threats. Specialized web-based training covering Payment Card Industry (“PCI”), Health Insurance Portability and Accountability Act (“HIPAA”) and Federal Tax Information is also required and tracked for employees who have access to that data . Identity and Access Management - The Company requires authorization of all personnel, including contractors, before being granted access to facilities, systems, and data. The Company’s identity and access management systems are integrated with human resource applications and processes to facilitate provisioning and de-provisioning of badges and logical system access. Network Security - The Company employs a “defense in depth” strategy to secure our networks, servers, and data. Our critical networks utilize redundant components and connections to ensure high availability, reliability, and performance. We implement a security architecture based on zero trust principles, establishing rules for segmentation and access control that consider risk and business impact. This approach encompasses infrastructure, applications, and data in the cloud. Endpoint and Device Protection & Anti-Malware - The Company has hardening policies and processes and uses a “gold image” approach to deploying new clients and servers. Configurations that go into gold images are reviewed with security staff. Advanced anti-malware controls are in place and patching cadence and performance of endpoint devices are watched closely. Form 10-K Part I Cincinnati Bell Inc. Protection of Customer and Other Sensitive Data - The Company complies with regulations for Customer Proprietary Network Information protection (Title 47 section 222) and has taken measures over the past several years to limit or remove Personal Identifiable Information (“PII”) and other sensitive information from databases and internal systems. Access to sensitive information from third party partners is managed through secure virtual terminal environments, and movement of PII is monitored on premise and in key cloud applications. Application and Product Security - The Company’s application security program is based on the Open Web Application Security Standard (“OWASP”) and critical systems have been benchmarked for compliance with our security polices and standards. Security work is jointly prioritized with security staff and product/application/development organizations and third parties with responsibility for application development and maintenance. Security checklists have also been developed and are used in new product development lifecycle processes. Third Party Risk Management - Third parties with access to data or infrastructure must go through a vetting process to ensure they comply with reasonable and industry accepted security practices. The vetting process includes assessments, review of third-party attestation and inclusion of standard security language in contracts. Security staff work closely with legal, procurement/sourcing personnel and other stakeholders within the Company on third party compliance practices. Threat and Vulnerability Management - Vulnerability scanning and attack and penetration testing, quarterly and annually, is conducted on perimeter networks and E-commerce platforms by third parties and qualified internal personnel. The testing covers network, host, application, and data security. The Company uses the Common Vulnerability Scoring System (“CVSS”) standard for vulnerability management. Various open source, third party and internally developed threat intelligence platforms are used to stay abreast of threats facing the Company and our industry. Security Assessments - Various company environments are regularly audited by a third-party AICPA- and PCAOB-registered certified public accounting firm and has consistently obtained PCI DSS, SSAE18 SOC1, SOC2, CSAE34-16 SOC1 and SOC2 certifications and HIPAA compliance. The Company currently holds 20 such certifications. Change Management and ITSM - The Company employs robust change, incident and problem management practices across core network, managed services, and information technology environments. Security team members are an active part of these processes. Emergency Management, Incident Response and Cyber Insurance - The Company has invested in technology and processes for timely incident response to security and crisis events. Physical and cybersecurity staff, health and safety, legal, operational and human resources personnel are part of the overall emergency and incident response team. The Company has partnerships with third parties for forensics, and incident response consulting. The Company also maintains effective levels of cyber insurance against large data breaches or cybersecurity events. Service and Business Continuity - The Company conducts service continuity exercises and monitors network fault and performance 24 hours a day, 365 days a year to quickly detect and respond to service degradation or impairment. A set of business continuity plans and scenarios are also in place to address catastrophic events to personnel, critical infrastructure, and applications. The Company conducts periodic internal tabletop exercises and joint exercises with customers. Business continuity efforts are overseen by the Company’s Business Continuity Committee following policy set by the Company’s Security Council. In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors- Intellectual Property Tax, Regulatory, and Litigation Risks” in this annual report on Form 10-K. Website Access and Other Information The Company was incorporated under the laws of Ohio in 1983 with its headquarters at 221 East Fourth Street, Cincinnati, Ohio 45202 (telephone number (513) 397-9900 and website address http://www.altafiber.com). The Company has ceased to be subject to the reporting requirements of the Securities Exchange Act of 1934, as amended, but continues to voluntarily file annual, quarterly and certain other information with the SEC due to contractual provisions included in certain indentures. The SEC maintains an internet site that contains reports, proxy statements, and other information about issuers which file electronically with the SEC. The address of that site is http://www.sec.gov. Form 10-K Part I Cincinnati Bell Inc.

Company Information