DELTA AIR LINES, INC. 10-K Cybersecurity GRC - 2024-02-12

Page last updated on September 11, 2024

DELTA AIR LINES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-12 17:04:29 EST.

Company Summary

Delta Air Lines is one of the major airlines of the United States and a legacy carrier headquartered in Atlanta, Georgia. It is the United States’ oldest operating airline and the seventh-oldest operating worldwide. (Source: Wikipedia)

Filings

10-K filed on 2024-02-12

DELTA AIR LINES, INC. filed a 10-K at 2024-02-12 17:04:29 EST
Accession Number: 0000027904-24-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity ITEM 1C. CYBERSECURITY We are committed to safeguarding our information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Our program to protect our information assets and the management of risks to those assets supports the confidentiality, integrity, and availability of the information necessary to our long-term business success. Risk Management & Strategy Our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our Enterprise Risk Management (“ERM”) framework. Our information security and ERM teams coordinate to regularly review and assess these risks using a wide range of tools and services. Our cybersecurity program leverages components from several industry frameworks and generally recognized best practices, including International Organization for Standardization 27001 and National Institute of Standards and Technology (“NIST”) standards, such as the NIST Cybersecurity Framework, which emphasizes identification, protection, detection, response and recovery. We regularly assess our information security program capabilities and tools to improve reliability, enhance capabilities and scan our environment for vulnerabilities and weaknesses. Our information technology teams are trained to remediate vulnerabilities identified within established timeframes and our information security team reports to management on a weekly basis regarding the security risk posture of our information technology assets. We have established a dedicated Information Technology Risk team tasked with the goal of ensuring that risk remediation activities are carried out consistently and that risk remediation controls are operating as intended and within established thresholds. Enterprise-wide training is a vital component to reducing risk and protecting customers, employees and company information. We expect all Delta employees to adhere to information security and privacy policies as they handle corporate and customer information in their daily jobs. As a result, we require all employees and contractors with access to Delta’s information to complete annual training, which is updated as new technology, security and privacy issues emerge. All new employees are required to complete training within 30 days of hire. We also regularly conduct other training and employee education activities, including through awareness programs and campaigns. We engage with assessors, consultants, auditors and other third parties, including by regularly having a third party review our overall cybersecurity program to help identify areas for continued focus, improvement and/or compliance. In connection with certain regulatory requirements, we are required to engage third parties to assess our cybersecurity controls. Our cybersecurity program is subject to TSA requirements applicable to certain TSA-regulated airport and aircraft operators, including the requirement to develop a TSA-approved implementation plan describing measures we are taking to improve cybersecurity and to assess the effectiveness of those measures on an ongoing basis. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our data or our systems. Third-party risks are included within our risk assessment of vendors, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. We regularly test our incident response processes through table-top exercises to ensure they continue to be effective as our business and the cybersecurity threat landscape evolve. Our incident response processes are designed to guide the actions we take to prepare for, detect, respond to and recover from cybersecurity incidents. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. We describe whether and how risks related to cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference in this Item 1C. Delta Air Lines, Inc. | 2023 Form 10-K 27 Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee regularly receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer. In 2023, the Audit Committee received briefings on information security matters at all of its regular meetings. In addition, our Chief Information Officer, our Chief Information Security Officer, other members of our information technology leadership team and an outside legal expert on cybersecurity matters held a special session with all members of our Board of Directors to provide an overview of the information security environment. In addition to information provided in these meetings, members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer, who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Risk Council and Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2023 Form 10-K 28
ITEM 1C. CYBERSECURITY We are committed to safeguarding our information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Our program to protect our information assets and the management of risks to those assets supports the confidentiality, integrity, and availability of the information necessary to our long-term business success. Risk Management & Strategy Our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our Enterprise Risk Management (“ERM”) framework. Our information security and ERM teams coordinate to regularly review and assess these risks using a wide range of tools and services. Our cybersecurity program leverages components from several industry frameworks and generally recognized best practices, including International Organization for Standardization 27001 and National Institute of Standards and Technology (“NIST”) standards, such as the NIST Cybersecurity Framework, which emphasizes identification, protection, detection, response and recovery. We regularly assess our information security program capabilities and tools to improve reliability, enhance capabilities and scan our environment for vulnerabilities and weaknesses. Our information technology teams are trained to remediate vulnerabilities identified within established timeframes and our information security team reports to management on a weekly basis regarding the security risk posture of our information technology assets. We have established a dedicated Information Technology Risk team tasked with the goal of ensuring that risk remediation activities are carried out consistently and that risk remediation controls are operating as intended and within established thresholds. Enterprise-wide training is a vital component to reducing risk and protecting customers, employees and company information. We expect all Delta employees to adhere to information security and privacy policies as they handle corporate and customer information in their daily jobs. As a result, we require all employees and contractors with access to Delta’s information to complete annual training, which is updated as new technology, security and privacy issues emerge. All new employees are required to complete training within 30 days of hire. We also regularly conduct other training and employee education activities, including through awareness programs and campaigns. We engage with assessors, consultants, auditors and other third parties, including by regularly having a third party review our overall cybersecurity program to help identify areas for continued focus, improvement and/or compliance. In connection with certain regulatory requirements, we are required to engage third parties to assess our cybersecurity controls. Our cybersecurity program is subject to TSA requirements applicable to certain TSA-regulated airport and aircraft operators, including the requirement to develop a TSA-approved implementation plan describing measures we are taking to improve cybersecurity and to assess the effectiveness of those measures on an ongoing basis. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our data or our systems. Third-party risks are included within our risk assessment of vendors, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. We regularly test our incident response processes through table-top exercises to ensure they continue to be effective as our business and the cybersecurity threat landscape evolve. Our incident response processes are designed to guide the actions we take to prepare for, detect, respond to and recover from cybersecurity incidents. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. We describe whether and how risks related to cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference in this Item 1C. Delta Air Lines, Inc. | 2023 Form 10-K 27 Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee regularly receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer. In 2023, the Audit Committee received briefings on information security matters at all of its regular meetings. In addition, our Chief Information Officer, our Chief Information Security Officer, other members of our information technology leadership team and an outside legal expert on cybersecurity matters held a special session with all members of our Board of Directors to provide an overview of the information security environment. In addition to information provided in these meetings, members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer, who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Risk Council and Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2023 Form 10-K 28 Item 2. Properties
Item 1C. Delta Air Lines, Inc. | 2023 Form 10-K 27 Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee regularly receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer. In 2023, the Audit Committee received briefings on information security matters at all of its regular meetings. In addition, our Chief Information Officer, our Chief Information Security Officer, other members of our information technology leadership team and an outside legal expert on cybersecurity matters held a special session with all members of our Board of Directors to provide an overview of the information security environment. In addition to information provided in these meetings, members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer, who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Risk Council and Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2023 Form 10-K 28 Item 2. Properties ITEM 2. PROPERTIES Flight Equipment Our operating aircraft fleet, purchase commitments and options at December 31, 2023 are summarized in the following table. Mainline aircraft information by fleet type Current Fleet (1) Commitments Fleet Type Owned Finance Lease Operating Lease Total Average Age (Years) Purchase Options A220-100 41 4 - 45 4.0 - - A220-300 23 - - 23 1.6 77 - A319-100 57 - - 57 21.8 - - A320-200 60 - - 60 28.2 - - A321-200 63 22 42 127 5.0 - - A321-200neo 48 - - 48 0.8 107 70 A330-200 11 - - 11 18.8 - - A330-300 28 - 3 31 14.9 - - A330-900neo 19 3 5 27 2.0 12 - A350-900 17 - 11 28 5.1 16 - B-717-200 10 70 - 80 22.3 - - B-737-800 73 4 - 77 22.3 - - B-737-900ER 114 - 49 163 8.0 - - B-737-10 - - - - - 100 30 B-757-200 100 - - 100 26.4 - - B-757-300 16 - - 16 20.9 - - B-767-300ER 44 - - 44 27.7 - - B-767-400ER 21 - - 21 23.0 - - Total 745 103 110 958 14.8 312 100 (1) Excludes certain aircraft we own or lease that are operated by regional carriers on our behalf shown in the table below. The following table summarizes the aircraft operated by regional carriers on our behalf at December 31, 2023. In 2023, we retired all remaining CRJ-200 aircraft from service. Regional aircraft information by fleet type and carrier Fleet Type (1)(2) Carrier CRJ-700 CRJ-900 Embraer 170 Embraer 175 Total Endeavor Air, Inc. (3) 9 118 - - 127 SkyWest Airlines, Inc. 8 38 - 85 131 Republic Airways, Inc. - - 11 46 57 Total 17 156 11 131 315 (1) We own 190 and have operating leases for three of these regional aircraft. The remainder are owned or leased by SkyWest Airlines, Inc. or Republic Airways, Inc. (2) Excluded from the total operating count above are nine CRJ-700 and five CRJ-900 which are owned and temporarily parked as of December 31, 2023. (3) Endeavor Air, Inc. is a wholly owned subsidiary of Delta. Delta Air Lines, Inc. | 2023 Form 10-K 29
Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee regularly receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer. In 2023, the Audit Committee received briefings on information security matters at all of its regular meetings. In addition, our Chief Information Officer, our Chief Information Security Officer, other members of our information technology leadership team and an outside legal expert on cybersecurity matters held a special session with all members of our Board of Directors to provide an overview of the information security environment. In addition to information provided in these meetings, members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer, who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Risk Council and Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2023 Form 10-K 28 Item 2. Properties ITEM 2. PROPERTIES Flight Equipment Our operating aircraft fleet, purchase commitments and options at December 31, 2023 are summarized in the following table. Mainline aircraft information by fleet type Current Fleet (1) Commitments Fleet Type Owned Finance Lease Operating Lease Total Average Age (Years) Purchase Options A220-100 41 4 - 45 4.0 - - A220-300 23 - - 23 1.6 77 - A319-100 57 - - 57 21.8 - - A320-200 60 - - 60 28.2 - - A321-200 63 22 42 127 5.0 - - A321-200neo 48 - - 48 0.8 107 70 A330-200 11 - - 11 18.8 - - A330-300 28 - 3 31 14.9 - - A330-900neo 19 3 5 27 2.0 12 - A350-900 17 - 11 28 5.1 16 - B-717-200 10 70 - 80 22.3 - - B-737-800 73 4 - 77 22.3 - - B-737-900ER 114 - 49 163 8.0 - - B-737-10 - - - - - 100 30 B-757-200 100 - - 100 26.4 - - B-757-300 16 - - 16 20.9 - - B-767-300ER 44 - - 44 27.7 - - B-767-400ER 21 - - 21 23.0 - - Total 745 103 110 958 14.8 312 100 (1) Excludes certain aircraft we own or lease that are operated by regional carriers on our behalf shown in the table below. The following table summarizes the aircraft operated by regional carriers on our behalf at December 31, 2023. In 2023, we retired all remaining CRJ-200 aircraft from service. Regional aircraft information by fleet type and carrier Fleet Type (1)(2) Carrier CRJ-700 CRJ-900 Embraer 170 Embraer 175 Total Endeavor Air, Inc. (3) 9 118 - - 127 SkyWest Airlines, Inc. 8 38 - 85 131 Republic Airways, Inc. - - 11 46 57 Total 17 156 11 131 315 (1) We own 190 and have operating leases for three of these regional aircraft. The remainder are owned or leased by SkyWest Airlines, Inc. or Republic Airways, Inc. (2) Excluded from the total operating count above are nine CRJ-700 and five CRJ-900 which are owned and temporarily parked as of December 31, 2023. (3) Endeavor Air, Inc. is a wholly owned subsidiary of Delta. Delta Air Lines, Inc. | 2023 Form 10-K 29


Company Information

NameDELTA AIR LINES, INC.
CIK0000027904
SIC DescriptionAir Transportation, Scheduled
TickerDAL - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30