Page last updated on July 16, 2024
Spirit AeroSystems Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:08:21 EST.
Filings
10-K filed on 2024-02-22
Spirit AeroSystems Holdings, Inc. filed a 10-K at 2024-02-22 16:08:21 EST
Accession Number: 0001628280-24-006331
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity Cybersecurity Program Our cybersecurity program is designed to detect known and anticipated threats, and contemplate various types of unexpected but possible threats. We have developed processes to identify, assess, mitigate, analyze and respond to threats, and continue to mature our cyber resiliency solutions. We continuously monitor the cybersecurity landscape and identify active and potential threats through a combination of tools and processes. Our Global Information Security (“GIS”) team has day-to-day responsibility for Spirit’s cybersecurity program. This group is led by a Chief Information Security Officer (“CISO”) with more than twenty years of audit and cybersecurity experience. The CISO collaborates across the business, participates in internal audits, and is active in several leading industry groups to help benchmark our efforts with third parties. GIS receives and analyzes information from various resources to inform our cybersecurity program needs. An Enterprise Security Council comprised of GIS, Information Technology, Legal, Compliance, Internal Audit, and Enterprise Risk Management meets regularly to discuss emerging cyber risks and corresponding mitigations as part of our overall Enterprise Risk Management program. Significant risks are escalated to the Enterprise Risk Council which is chaired by our President and CEO, who was the Deputy Secretary of Defense during the development of the 2018 Department of Defense Cyber Strategy. We implement appropriate controls to protect our information or information we have control of on our systems, and our operations. We evaluate our controls and systems against industry-recognized standards, and contractual requirements, as applicable. The CISO monitors and reviews our process of patching compliance, which is managed and executed via a combination of internal resources and third-party service providers. We also use third parties to supplement monitoring of cyber activity and for various special projects, which may include projects related to cybersecurity. As part of our cybersecurity risk management program, we have planned “tabletop” exercises designed to simulate various cybersecurity threats or intrusions and help identify gaps in our preparedness, and help provide clarity in how to respond to any potential incidents. These exercises are designed to test the working level and senior leadership level, including participation by Executive Leadership Team. All employees are required to take mandatory cybersecurity training courses throughout the year. We execute simulated phishing exercises and provide direct feedback to employees who fail such simulations to help them understand how to recognize phishing attempts. Our overall program is designed to help us prevent and effectively respond to cybersecurity incidents. GIS maintains an Incident Management and Response Policy that provides a classification framework for cybersecurity incidents and defines critical roles and responsibilities during a cybersecurity incident. The Incident Response Policy specifies ownership and timing of key actions and prescribes the engagement of functional leaders, senior Executives, and the Board of Directors, depending on the incident. We have developed playbooks to guide specific actions related to different incident types. Finally, we have a cyber insurance policy underwritten by a global leader in commercial insurance solutions. Part of our Enterprise Risk Management program involves understanding risks that third parties, including those that our supply chain introduce to our organization. Our cybersecurity program is in the process of maturing how we assess third-party cyber risks, particularly in situations where we share confidential or sensitive information, or in situations where our operations may be impacted through a cybersecurity incident at a third party. Cybersecurity Governance The Board of Directors’ Risk Committee has the responsibility for oversight of our cybersecurity program. This committee’s membership includes subject matter experts in both cybersecurity and national security. Spirit’s CISO reports to the Risk Committee quarterly on the state of our cybersecurity program. Cybersecurity Risks Although cybersecurity risks have not materially affected us, including our business strategy, results of operations, or financial condition, during the period covered by this report, we are subject to various cybersecurity risks, which could, in the future, be material. For more information about the cybersecurity risks we face, see Item 1A. “Risk Factors - Risks Related to Our Operations”
Company Information
Name | Spirit AeroSystems Holdings, Inc. |
CIK | 0001364885 |
SIC Description | Aircraft Parts & Auxiliary Equipment, NEC |
Ticker | SPR - NYSE |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |