Page last updated on July 16, 2024
NORTHROP GRUMMAN CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-01-25 16:02:51 EST.
Filings
10-K filed on 2024-01-25
NORTHROP GRUMMAN CORP /DE/ filed a 10-K at 2024-01-25 16:02:51 EST
Accession Number: 0001133421-24-000006
Item 1C. Cybersecurity.
We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. This process is supported by both management and our Board of Directors.
The Chief Information Office, which maintains our cybersecurity function, is led by our Chief Information Officer (CIO), who reports to our CEO. The Chief Information Security Officer (CISO) reports to the CIO and generally is responsible for management of cybersecurity risk and the protection and defense of our networks and systems. The CISO manages a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance.
Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The full Board receives an update on the Company’s risk management process and the risk trends related to cybersecurity at least annually. The Audit and Risk Committee specifically assists the Board in its oversight of risks related to cybersecurity. To help ensure effective oversight, the Audit and Risk Committee receives reports on information security and cybersecurity from the CISO at least four times a year.
In addition, the Company’s Enterprise Risk Management Council (ERMC) considers risks relating to cybersecurity, among other significant risks, and applicable mitigation plans to address such risks. The ERMC is comprised of the Executive Leadership Team, as well as the Chief Accounting Officer, Chief Compliance Officer, Corporate Secretary, Chief Sustainability Officer, Treasurer and Vice President, Internal Audit. The CIO and CISO attend each ERMC meeting. The ERMC meets during the year and receives periodic updates on cybersecurity risks from the CIO and CISO. We have an established process and playbook led by our CISO governing our assessment, response and notifications internally and externally upon the occurrence of a cybersecurity incident. Depending on the nature and severity of an incident, this process provides for escalating notification to our CEO and the Board (including our Lead Independent Director and the Audit and Risk Committee chair).
Our approach to cybersecurity risk management includes the following key elements:
- Multi-Layered Defense and Continuous Monitoring - We work to protect our computing environments and products from cybersecurity threats through multi-layered defenses and apply lessons learned from our defense and monitoring efforts to help prevent future attacks. We utilize data analytics to detect anomalies and search for cyber threats. Our Cybersecurity Operations Center provides comprehensive cyber threat detection and response capabilities and maintains a 24x7 monitoring system which complements the technology, processes and threat detection techniques we use to monitor, manage and mitigate cybersecurity threats. From time to time, we engage third party consultants or other advisors to assist in assessing, identifying and/or managing cybersecurity threats. We also periodically use our Internal Audit function to conduct additional reviews and assessments.
- Insider Threats - We maintain an insider threat program designed to identify, assess, and address potential risks from within our Company. Our program evaluates potential risks consistent with industry practices, customer requirements and applicable law, including privacy and other considerations.
- Information Sharing and Collaboration - We work with government, customer, industry and/or supplier partners, such as the National Defense Information Sharing and Analysis Center and other government-industry partnerships, to gather and develop best practices and share information to address cyber threats. These relationships enable the rapid sharing of threat and vulnerability mitigation information across the defense industrial base and supply chain.
- Third Party Risk Assessments - We conduct information security assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties, and our standard terms and conditions contain contractual provisions requiring certain security protections.
- Training and Awareness - We provide awareness training to our employees to help identify, avoid and mitigate cybersecurity threats. Our employees with network access participate annually in required training, including spear phishing and other awareness training. We also periodically host tabletop exercises with management and other employees to practice rapid cyber incident response.
- Supplier Engagement - We provide training and other resources to our suppliers to support cybersecurity resiliency in our supply chain. We also require our suppliers to comply with our standard information security terms and conditions, in addition to any requirements from our customers, as a condition of doing business with us, and require them to complete information security questionnaires to review and assess any potential cyber-related risks depending on the nature of the services being provided.
While we have experienced cybersecurity incidents in the past, to date none have materially affected the Company or our financial position, results of operations and/or cash flows. We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see “Risk Factors.”
Item 1A. Risk Factors.
Our business could be negatively impacted by cyber and other security threats or disruptions.
As a defense contractor, we face significant cyber and other security threats. They include, among other things, attempts to gain unauthorized access to sensitive information or otherwise compromise the integrity, confidentiality and/or availability of our systems, hardware and networks, and the information on them; insider threats; ransomware; threats to the safety of our directors, officers and employees; threats to our facilities, infrastructure, products (we produce and use), and subcontractors or other suppliers (referred to inclusively as suppliers); and threats from terrorist acts, espionage, civil unrest and other acts of aggression. We are also subject to increasing government, customer and other cyber and security requirements, including disclosure obligations.
We have robust measures in place to address and mitigate cyber-related risks. However, we have experienced cyber attacks and expect we will continue to experience additional attacks in the future, including from nation states and non-state actors. We continue to invest in the cybersecurity and resiliency of our networks and products and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. These include timely detection of incidents through monitoring, training, incident response capabilities, and mitigating cyber and security risks to our data, systems, products and services. We also partner with the government and others in our industry to help protect national security. However, given the complex, continuing and evolving nature of cyber and other security threats, including threats from targeting by more advanced and persistent adversaries, including nation states and other actors, these efforts may not be fully effective, particularly against previously unknown vulnerabilities that could go undetected for an extended period.
Our customers and partners (including our suppliers and joint ventures) to whom we entrust confidential data, and on whom we rely to provide products and services, face similar threats and growing requirements, including ones for which others may seek to hold us responsible. We depend on our customers, suppliers, and other business partners to implement and verify adequate controls and safeguards to protect against and report cyber incidents. If they fail to deter, detect or report cyber incidents in a timely manner, we may suffer financial and other harm, including to our information, operations, performance, employees and reputation.
Although we implement various measures and controls to monitor and mitigate risks associated with these threats and to increase the cyber resiliency of our infrastructure and products, there can be no assurance that these processes will be sufficient. Successful attacks could lead to losses or misuse of sensitive information or capabilities; theft or corruption of data; harm to personnel, infrastructure or products; financial costs and liabilities; protracted disruptions in our operations and performance; and the misuse of our products, as well as damage to our reputation as a provider of cyber-related or cyber-protected goods and services. We have not always been able to and may in the future not always be able to obtain adequate insurance to cover our losses.
Cyber threats, both on premises and in the cloud, are evolving and include, but are not limited to: malicious software, destructive malware, ransomware, attempts to gain unauthorized access to systems or data, disruption to operations, critical systems or denial of service attacks; unauthorized release of confidential, personal or other protected information (ours or that of our employees, customers or partners); corruption of data, networks or systems; harm to individuals; and loss of assets. We have been and could be impacted by cyber threats or other disruptions or vulnerabilities found in products or services we use or in our internal, partners’ or customers’ systems that are used in connection with our business. Some of these threats are zero-day attacks associated with previously unknown vulnerabilities in third party software or products we utilize in our business. Cyber events, if not prevented or effectively mitigated, have caused and could cause harm and require remedial actions. They could also damage our reputation, disrupt performance, impact our ability to obtain future insurance coverage, and lead to loss of business, regulatory actions, liabilities or other financial losses, for which we do not have adequate sources of recovery.
We provide systems, products and services to various customers who also face cyber threats. Our systems, products and services may not be able to detect or deter threats, or effectively to mitigate resulting losses. These losses could adversely affect our customers and our company.
We also face increasing and evolving disclosure obligations related to cyber and other security events. Despite rigorous processes, we risk failing to meet all our existing or future disclosure obligations and/or having our disclosures misinterpreted. National security or public safety considerations may also affect, or in limited instances prevent, our public disclosure of a cybersecurity incident in certain circumstances.
We also face threats to our physical security, including to our facilities and the safety and well-being of our people. These threats could involve terrorism, insider threats, workplace violence, civil unrest, natural disasters, damaging weather, or fires, which could adversely affect our company. Our customers and suppliers face similar risks that, if realized, could also adversely impact our operations. Such acts could cause delays, manufacturing downtime, or other impacts that could detrimentally impact our ability to perform our operations. We could also incur unanticipated costs to remediate impacts and lost business.
The occurrence and impact of these various risks are difficult to predict, but one or more of them could have a material adverse effect on our financial position, results of operations and/or cash flows.
Company Information
| Name | NORTHROP GRUMMAN CORP /DE/ |
| CIK | 0001133421 |
| SIC Description | Search, Detection, Navigation, Guidance, Aeronautical Sys |
| Ticker | NOC - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |