Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management and Strategy

We have invested time and resources with a goal to define, implement and further develop the maturity of our cybersecurity risk management and strategy program. During this time, we have developed a common cybersecurity incident response plan across our businesses and jurisdictions that while unique to the risk profile of each business, allows us to utilize common response and decision-making protocols in an effort to react quickly to a potential cybersecurity threat and manage risk to our overall Company.

In developing our cybersecurity incident response plan and assessing the maturity of our cybersecurity threat program, we utilize the National Institute of Standards and Technology Cybersecurity Framework (NIST). We use NIST as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. We make it a practice to continually review the maturity of our program, utilizing the NIST standards and leveraging the feedback of both internal resources and external advisors in an effort to continuously improve our program in relation to evolving cybersecurity threats in our industry.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program overseen by our Risk Council, composed of professionals across a variety of departments and jurisdictions in our organization. Our cybersecurity program utilizes methodologies, reporting channels and governance processes across our subsidiaries that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas that are assessed and reviewed when onboarding new vendors, customers, product lines or shifts in our service delivery models.

Our cybersecurity risk management program includes:

●

risk assessments performed internally and with the help of third-party vendors that are designed to help identify material cybersecurity risks to our critical systems, information, products, services, equipment, and our broader enterprise IT and customer-facing network environments;

●

a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, (3) our response to cybersecurity incidents, and (4) our assessment of new products and business processes;

●

the use of external service providers, where appropriate, to assess, test or otherwise assist with the analysis of our security controls and those of our key vendors;

●

cybersecurity awareness training of our employees, incident response personnel, and senior management; and

●

a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents.

To date, we have not experienced any prior cybersecurity incidents that have materially affected our operations, business strategy, results of operations, or financial condition. For a discussion of risks that could in the future impact our operations, business strategy or financial condition, please see “Cybersecurity breaches could have an adverse effect on our business” in our Risk Factors.

Cybersecurity Risk Management Processes Integrated [Text Block]

Our cybersecurity risk management program is integrated into our overall enterprise risk management program overseen by our Risk Council, composed of professionals across a variety of departments and jurisdictions in our organization. Our cybersecurity program utilizes methodologies, reporting channels and governance processes across our subsidiaries that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas that are assessed and reviewed when onboarding new vendors, customers, product lines or shifts in our service delivery models.

Our cybersecurity risk management program includes:

●

risk assessments performed internally and with the help of third-party vendors that are designed to help identify material cybersecurity risks to our critical systems, information, products, services, equipment, and our broader enterprise IT and customer-facing network environments;

●

a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, (3) our response to cybersecurity incidents, and (4) our assessment of new products and business processes;

●

the use of external service providers, where appropriate, to assess, test or otherwise assist with the analysis of our security controls and those of our key vendors;

●

cybersecurity awareness training of our employees, incident response personnel, and senior management; and

●

a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity in connection with its general risk assessment and oversight. The Audit Committee oversees management’s implementation of our cybersecurity risk management program.

The Committee receives frequent, and typically no less than quarterly reports from management on our cybersecurity risks, assessment of our cybersecurity program, and development of our information security incident response plan. In addition, management updates the Committee, pursuant to an agreed upon timetable and escalation

matrix regarding any material cybersecurity incidents, as well as providing the Committee with periodic reports on any incidents with lesser impact potential.

The Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from management from time to time on our cyber risk management program. Board members receive presentations and training on cybersecurity topics from our Chief Information Officer (CIO), Vice President of Security, or external experts as part of the Board’s continuing education on topics that impact public companies. Our CTIO is an experienced information technology professional with just under 30 years of experience in the networking and communications industries. His extensive experience extends to all facets of information technology, including enterprise applications, cloud and SaaS systems, network infrastructure, and network management. For the past decade, he has been at the forefront of cloud systems development and security. Our VP of Security has over 30 years of experience in IT and Security and has the Certified Information System Security Professional (CISSP) certification as well as various technology vendor certifications.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee oversees management’s implementation of our cybersecurity risk management programThe Committee receives frequent, and typically no less than quarterly reports from management on our cybersecurity risks, assessment of our cybersecurity program, and development of our information security incident response plan. In addition, management updates the Committee, pursuant to an agreed upon timetable and escalation matrix regarding any material cybersecurity incidents, as well as providing the Committee with periodic reports on any incidents with lesser impact potential

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our internal security team is made up of experienced professionals that have an average of more than 25 years of IT and security experience, including certifications such as CISSP, CompTia Security+.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true