Cybersecurity

Monitoring and strengthening our network to proactively detect, prevent and respond to evolving cyber threats.

Click through to learn about our 2025 impact in action.

Our Approach

We defend the AT&T network with a multi-layered approach focused on fostering a secure, trusted and risk-informed environment. This includes monitoring, active prevention and rapid response to security threats. We leverage tools, where available, that include near-real-time data correlation, situational awareness reporting, active incident investigation, case management, trend analysis and predictive security alerting.

Our network and information security program is designed to protect the confidentiality, integrity and availability of our information and that of our customers. Our program encompasses the Chief Security Office (CSO) and its policies, platforms, procedures and processes for assessing, identifying, responding to and resolving security risks from cybersecurity threats in a timely manner to minimize the loss or compromise of information assets. This includes third-party risk from vendors and suppliers. As we develop our security programs, we strive to do so in a way that supports the organization’s growth and ability to serve our customers.

We look for opportunities to continuously improve our security processes, strengthen identity and access management, equip our business units with strong security postures, quantify and reduce technology risks and proactively address vulnerabilities.

All AT&T employees receive annual security training. Educational materials are also available to customers, suppliers and employees. Additionally, through our “Know it. Validate it. Use it.” communications, we raise awareness of industry-leading security practices.

Security Policies and Standards

We have dedicated security policies and standards that apply to all AT&T employees, contractors and suppliers and that are informed by industry-leading and regulatory standards, including:

National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and NIST 800-53 Rev. 5.
External certification and assessment requirements, such as PCI DSS, SOX, SSAE18/ISAE3402 SOC and ISO 27001.
Privacy and data security laws and regulations, such as the California Consumer Privacy Act, the European Union’s General Data Protection Regulation and the New York Department of Financial Services Part 500 Cybersecurity requirements.

Our supplier contracts require strict adherence to our information security standards. For commercially available products or applications, AT&T conducts thorough risk assessments before granting approval for use.

Learn more about our security policies and standards on our Security at AT&T webpage.

Risk Management

We identify, assess, monitor and manage risks from cybersecurity threats through various mechanisms. These may include tabletop exercises to test our preparedness and incident response process, business unit assessments, control gap analyses, threat modeling, impact analyses, internal audits, external audits, penetration tests and engaging third parties to conduct analyses of our information security program. We conduct vulnerability testing and assess identified vulnerabilities for severity, the potential impact to AT&T and our customers and the likelihood of occurrence. Our security teams work with application and system owners to remediate vulnerabilities. We regularly evaluate our security controls to maintain their functionality in accordance with our security policy. We also apply cybersecurity threat intelligence from recognized forums, third parties and other sources to risk assessment processes. In addition, we collaborate with numerous U.S. agencies to help protect U.S. communications networks.

Learn more about our network security monitoring, testing and reporting in the AT&T Information & Network Security Customer Reference Guide.

Compliance Reviews

Third-party assessors audit our security controls annually, including:

Information Security Standard (ISO/IEC 27001) Recertification: AT&T maintains two global ISO/IEC 27001 certifications that cover our global intellectual property infrastructure and certain customer-facing managed services.
Quality Management Standard (ISO 9001)¹: AT&T has achieved ISO 9001 certification.
Third-Party Audits for Certain Services: AT&T is audited for services such as those for the Payment Card Industry Data Security Standard, the Sarbanes-Oxley Act and the Statement on Standards for Attestation Engagements 18/International Standard on Assurance Engagements 3402.

Customer Awareness and Education

AT&T is a Board Member of the National Cybersecurity Alliance, a nonprofit focused on creating a more secure and interconnected world through public awareness and educational efforts.

We empower customers to take their security into their own hands with AT&T Cyber Aware. This website raises awareness of cyber scams, how to recognize them and how customers can protect themselves, along with other security and privacy information.

Learn more about how customers can report on, and guard against, fraud or security issues on our Fraud & Security Resources website. Learn more about our service security and features in the AT&T Business Service Guide.

Stakeholder Engagement

We collaborate with our industry peers and others to advance network and data security through the following organizations:

Through the annual AT&T Secure Connections Conference, we convene AT&T, government and security experts to explore the current and future security landscape.

Cybersecurity Governance

Our cybersecurity oversight is carried out through internal bodies:

Board of Directors, Audit Committee: Has oversight responsibility to review and discuss with management the company’s privacy and data security, including cybersecurity, risk exposures, policies and practices. The committee also reviews the steps AT&T management has taken to detect, monitor and control risks and the potential impact of those exposures on our business, financial results, operations and reputation. The full Board and Audit Committee regularly receive presentations from our Chief Information Security Officer (CISO), Chief Technology Officer and AT&T’s Legal team on privacy and data security issues and risks. In addition to regular reports to the Audit Committee, we have protocols by which certain security incidents are escalated within the company and, where appropriate, in a timely manner to the Audit Committee.
Information Risk Council: Comprises C-suite officers who meet quarterly to discuss and take action on cybersecurity issues and priorities. Led by our CISO, the council continually reviews and works to strengthen AT&T’s information security posture, ensuring the program enables business priorities and accounts for regulatory changes, evolving threats and industry-leading practices.
Chief Information Security Officer: Assesses and manages our material risks from cybersecurity threats. The CISO works closely with AT&T Legal to oversee compliance with legal, regulatory and contractual security requirements.
Chief Security Office: Has management-level responsibility for all aspects of network and information security within the company. Led by our CISO and comprised of a large team of highly trained security professionals across multiple countries, the CSO is responsible for:
- Establishing the policies, standards and requirements for the security of AT&T’s computing and network environments.
- Protecting AT&T-owned and -managed assets and resources against unauthorized access by monitoring potential security threats, analyzing network events and overseeing the execution of corrective actions.
- Promoting compliance with AT&T’s security policies and network and information security program in a consistent manner on network systems and applications.
- Providing security thought leadership in the global security arena.
Business Information Security Officers (BISOs): Support business units by partnering with leadership to address cybersecurity challenges unique to their organizations, align security strategies with business objectives and work to ensure compliance with company policies. Each BISO is dedicated to a specific business unit through the CSO.

Impact in Action

Our 2025 Impact in Action

In 2025, we continued to enhance operational excellence, quantifying and reducing technology risk, enabling business units through training and tools, and strengthening identity and access management and remediation.

In 2025, we did not identify any risks from cybersecurity threats, including risks arising from any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition.

Responsible Artificial Intelligence (AI) Usage

We continue to accelerate the development and implementation of our AI security programs. This includes leveraging AI to proactively monitor industry alerts and rapidly assess the validity and criticality of emerging threats while strengthening our defensive processes with risk management controls. We also made it easier for our developers to use our AI chatbot to implement security policies and standards in their projects and decision-making processes.

Our use of real-time, behavior-based analytics is instrumental in detecting identity fraud, employing machine-learning models to flag or prevent suspicious transactions. To centralize our efforts, we also established the AI Security Center of Excellence (CoE), which consolidates expertise, industry-leading practices and governance. The AI CoE accelerates secure AI operationalization, ensures consistency across teams and serves as the authoritative body for AI risk, security and compliance decisions.

We have established an AI governance review board that reviews proposed AI use cases prior to deployment. It includes our CSO, which assesses cybersecurity risks in the deployment of AI technologies, and representatives from AT&T’s technology, legal, security, privacy, compliance and business segments.

Beyond AI, we work to manage risks from other emerging technologies, such as quantum computing.

Learn more about our approach to AI in our Responsible AI issue brief.

Strengthening Security

Network Security

In 2025, we continued to improve the security of our network by applying a more disciplined, risk-informed approach that strengthens compliance with our defined risk appetite.

Our AI security program advanced significantly, enabling us to quickly detect and assess emerging threats and counter the growing use of AI by malicious actors. We complemented this work with expanded training and skill-building for our workforce, ensuring employees can navigate evolving technologies such as advanced AI and quantum computing.

We also enhanced core capabilities like multifactor authentication and continuous monitoring, all of which help reduce technology risk, improve response times and ensure only approved users are accessing the appropriate resources.

Additionally, we refined our Company Official Use (COU) policies in 2025 to better communicate the behaviors aligned with our risk appetite. By limiting COU devices to internally approved applications (accessible solely through the Company Portal for Apple devices or the Managed Play Store for Android), we reduce exposure to unapproved software and strengthen safeguards against device and data compromise.

Customer Security

To enhance customer security, we upgraded our ActiveArmor® mobile security app, enhancing call, text and browsing protection for customers with identity restoration services and more. In 2025, we signed an agreement to launch AT&T Dynamic Defense™ with Palo Alto Networks, embedding AI-powered cybersecurity directly into our network infrastructure for real-time threat protection and Zero Trust security.

AT&T also provides a dedicated Fraud Resources website that enables customers to easily report suspected fraud, request account reviews and access support, complementing in-store and call center channels to ensure timely investigation and resolution.

Quantum Computing

Quantum computing poses a future threat to today’s encryption standards, and AT&T’s CSO is proactively addressing this risk through our Quantum Security Initiative. This program focuses on assessing potential vulnerabilities, preparing our network and systems for post-quantum security requirements and ensuring that customer data remains protected as these technologies evolve. Our work today helps ensure that essential connections, from passwords to financial transactions, remain secure in a post-quantum future.

Collaborating Across the Industry

Protecting telecommunications infrastructure is a collective responsibility, and collaboration across the industry is essential to staying ahead of rapidly evolving threats. Because our networks depend on the resilience of every participant in the ecosystem, we work closely with peers and security professionals to share insights, elevate industry-leading practices and strengthen protections for our customers.

In 2025, we hosted the annual Secure Connections conference, a premier cybersecurity event at our Dallas headquarters and broadcasted live to a global audience. The event brings together leaders from business, government and academia to collaborate and exchange insights on today’s most significant cybersecurity challenges. In 2025, a total of 23 organizations participated in Secure Connections.

In 2025, we co-hosted the Telecommunications Cyber Cup Challenge, a live, industry-wide exercise that brought together cybersecurity professionals from global telecom carriers to test defense protocols, exchange industry-leading practices and strengthen collective resilience. The event helped deepen cross-industry coordination and reinforced the importance of preparing together for emerging threats.

This industry gathering was just one part of a broader effort by the world’s leading telecom carriers to anticipate and stop cybersecurity threats before they affect customers. Today’s threats are persistent, increasingly sophisticated and constantly evolving – which is why we’re constantly innovating to stay ahead of the curve.

We have convened industry CISOs multiple times over the past year to improve information-sharing across our industry and government partners. As a result of this proactive effort, professionals across the industry have built stronger relationships and regularly discuss security findings, coordinate responses to real-time threats and share industry-leading practices. This collaboration is critical as we exercise flexibility in continuing to respond to the evolving threat environment and protect our customers.

Disclaimer

This document provides an overview of the AT&T security policies and program as of April 7th, 2026 and is subject to change. To maximize security, AT&T does not divulge details regarding the tools and processes used to manage security. AT&T operates a common infrastructure used for its internal communications, as well as shared by its customers. Consequently, AT&T implements and maintains commercially reasonable technical and organizational controls and measures to safeguard all data and customers on the shared network platforms, including customers with uniquely hosted environments and custom safeguards.

This document is provided as summary information only and is intended solely for informational purposes. It is not a contract, and no statement, representation or characterization within this document shall be construed as an implied or express commitment, obligation or warranty on the part of AT&T Inc., its affiliates, or their respective directors, officers, employees or agents.

All contractual obligations between AT&T and its customer are set out exclusively in a written agreement with the customer, and nothing in this document shall amend, modify, supplement or otherwise change the provisions or terms of that agreement.

AT&T may, in its sole discretion, alter the policies and procedures described in this document without notice to or consultation with any customer or another person. AT&T customers are responsible for maintaining security policies and programs appropriate to their enterprises.