Booz Allen Hamilton Holding Corp 10-K Cybersecurity GRC - 2024-05-24

Page last updated on July 16, 2024

Booz Allen Hamilton Holding Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-24 06:51:14 EDT.

Filings

10-K filed on 2024-05-24

Booz Allen Hamilton Holding Corp filed a 10-K at 2024-05-24 06:51:14 EDT
Accession Number: 0001443646-24-000075

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity. As one of the world’s largest cybersecurity solution providers, we routinely defend against advanced persistent threats both internally and for our clients. Our cybersecurity risk management program is an integral part of our overall enterprise risk management program, and is designed to assess, identify, manage and mitigate internal and external cybersecurity risks, threats and incidents. Risk Management and Strategy Our Board and its committees oversee the Company’s risk management processes, including but not limited to those relevant to cybersecurity risks, and are regularly briefed by management on risk management considerations. One of the primary tools that facilitates the Board’s oversight and mitigation of risk is the Company’s Enterprise Risk Management (“ERM”) Program, which is designed to look holistically at risks which may cause a material, adverse impact to the Company’s operations, reputation, or value. As part of the ERM Program, our Chief Operating Officer directs and chairs the ERM Steering Committee, which is comprised of members of senior management, including our Chief Financial Officer, General Counsel, Chief Information Officer, Chief Information Security Officer, Chief Administrative Officer, and Chief Ethics and Compliance Officer. Under the ERM Program, our Chief Operating Officer prepares for the Board a quarterly update of our enterprise risks, including but not limited to enterprise cybersecurity risks, and conducts with the Board an annual risk identification and mitigation analysis. In addition to updates provided through the ERM Program, the Board is regularly updated by members of management, including the Chief Accounting Officer, Chief Legal Officer, and members of the ERM Steering Committee concerning significant risks facing the Company and processes that have been implemented to mitigate these risks, including but not limited to cybersecurity risks. Additionally, throughout the year, each of our sector presidents who leads one of our major market units provides a comprehensive overview of their market, including risks and challenges. See “Item 1C. Cybersecurity-Governance-Management’s Responsibilities” below for additional information regarding our cybersecurity risk management program. We also conduct periodic internal and third-party assessments, threat simulations, and exercises to test the effectiveness of our cybersecurity defenses and controls, including associated policies and procedures. We undertake efforts to address and mitigate risks from vulnerabilities identified during such assessments, simulations, and exercises. Governance Management’s Responsibilities Our cybersecurity risk management program is led by our Chief Information Officer (“CIO”) and our Chief Information Security Officer (“CISO”), who are responsible for our information security strategy, policies, security architecture and engineering, security operations, and cybersecurity threat detection and response. Our CIO has over 25 years of information technology and program management experience, addressing complex information technology and cybersecurity challenges for large-scale enterprises in the U.S. Department of Defense, U.S. federal agencies, and commercial organizations. Our CISO, a Certified Information Systems Security Professional (“CISSP”), has over 20 years of information security and program management experience and has served as the CISO for several large-scale enterprises in the U.S. government services industry, commercial organizations, and not-for-profit organizations. As a government contractor, we are required to comply with extensive regulations and standards, including but not limited to cybersecurity regulations and standards and the requirements of the DFARS. Additionally, our cybersecurity risk management program is guided by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Our policies and implemented controls have been assessed by external organizations, including industry partners and the federal government. We work closely with our subcontractors and suppliers to identify and manage cybersecurity risks and, as appropriate, require them to comply with applicable laws and regulations. These contractual requirements include the requirement that our subcontractors implement certain security controls, and that our subcontractors self-report the status of their implementation of these controls to the U.S. government. To manage cybersecurity risk introduced from our supply chain, depending on the nature of a supplier’s work and the sensitivity of the Booz Allen and client information provided to the supplier, we also require suppliers to complete our security questionnaires (based on data categorization) and provide evidence of security accreditations, and we evaluate supplier compliance with security requirements using internal and third-party resources. Our CIO and CISO also lead our Cyber Fusion Center (“CFC”), whose function is, pursuant to our Cyber Incident Response Plan, to stay apprised of existing and emerging cybersecurity threats and monitor our information systems to proactively identify, protect against, and mitigate cybersecurity threats. The CFC uses intelligence collected from various sources, fused with intelligence collected from analysis and response actions, to proactively search for and address adversary activity against our information systems. The CFC possesses in-depth knowledge of network, endpoint, perimeter security systems, identity-based vulnerabilities, data protection, threat intelligence, forensics, penetration testing, and malware reverse engineering, as well as the functioning of specific applications or underlying information systems infrastructure. The Cyber Incident Response Team (“CIRT”) is responsible for the incident response process and provides direction and guidance to users of Booz Allen information systems when responding to cybersecurity incidents. The CIRT also provides intrusion monitoring of networks and information systems, and performs triage and analysis of events to identify potential incidents, including potential incidents occurring on third-party systems. The CIRT categorizes anomalous cybersecurity events into discrete levels in which cybersecurity events are escalated to appropriate levels of management, as well as our Cyber Incident Materiality Committee, Audit Committee, and Board, based on the severity of the incident. While typical cybersecurity management and incident response is provided by internal resources, we have arrangements with certain third parties whom we can engage if additional support and resources are required. Board of Directors’ Roles and Responsibilities The Audit Committee is responsible for oversight of the Company’s risk management and mitigation, including but not limited to the Company’s cybersecurity risks, and is regularly briefed by our CIO and CISO regarding the Company’s cybersecurity risk management program, cybersecurity incidents involving the Company, vendors, suppliers, subcontractors and other third parties, as well as associated mitigation actions taken, in order to assess and manage associated risks and potential harm and damages. The Audit Committee reports to the Board on cybersecurity risks to the Company on a periodic basis. Cybersecurity Threats Even with our extensive and systematic approach to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the cost related to cybersecurity threats or disruptions may not be fully insured. During the period covered by this Annual Report, we have not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or our financial condition. Future cybersecurity incidents could, however, materially affect our business strategy, results of operations, reputation, or financial condition. See Item 1A . , “Risk Factors,” for a discussion on cybersecurity risks and how they could materially affect the Company.
Item 1C. Cybersecurity-Governance-Management’s Responsibilities" below for additional information regarding our cybersecurity risk management program. We also conduct periodic internal and third-party assessments, threat simulations, and exercises to test the effectiveness of our cybersecurity defenses and controls, including associated policies and procedures. We undertake efforts to address and mitigate risks from vulnerabilities identified during such assessments, simulations, and exercises. Governance Management’s Responsibilities Our cybersecurity risk management program is led by our Chief Information Officer (“CIO”) and our Chief Information Security Officer (“CISO”), who are responsible for our information security strategy, policies, security architecture and engineering, security operations, and cybersecurity threat detection and response. Our CIO has over 25 years of information technology and program management experience, addressing complex information technology and cybersecurity challenges for large-scale enterprises in the U.S. Department of Defense, U.S. federal agencies, and commercial organizations. Our CISO, a Certified Information Systems Security Professional (“CISSP”), has over 20 years of information security and program management experience and has served as the CISO for several large-scale enterprises in the U.S. government services industry, commercial organizations, and not-for-profit organizations. As a government contractor, we are required to comply with extensive regulations and standards, including but not limited to cybersecurity regulations and standards and the requirements of the DFARS. Additionally, our cybersecurity risk management program is guided by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Our policies and implemented controls have been assessed by external organizations, including industry partners and the federal government. We work closely with our subcontractors and suppliers to identify and manage cybersecurity risks and, as appropriate, require them to comply with applicable laws and regulations. These contractual requirements include the requirement that our subcontractors implement certain security controls, and that our subcontractors self-report the status of their implementation of these controls to the U.S. government. To manage cybersecurity risk introduced from our supply chain, depending on the nature of a supplier’s work and the sensitivity of the Booz Allen and client information provided to the supplier, we also require suppliers to complete our security questionnaires (based on data categorization) and provide evidence of security accreditations, and we evaluate supplier compliance with security requirements using internal and third-party resources. Our CIO and CISO also lead our Cyber Fusion Center (“CFC”), whose function is, pursuant to our Cyber Incident Response Plan, to stay apprised of existing and emerging cybersecurity threats and monitor our information systems to proactively identify, protect against, and mitigate cybersecurity threats. The CFC uses intelligence collected from various sources, fused with intelligence collected from analysis and response actions, to proactively search for and address adversary activity against our information systems. The CFC possesses in-depth knowledge of network, endpoint, perimeter security systems, identity-based vulnerabilities, data protection, threat intelligence, forensics, penetration testing, and malware reverse engineering, as well as the functioning of specific applications or underlying information systems infrastructure. The Cyber Incident Response Team (“CIRT”) is responsible for the incident response process and provides direction and guidance to users of Booz Allen information systems when responding to cybersecurity incidents. The CIRT also provides intrusion monitoring of networks and information systems, and performs triage and analysis of events to identify potential incidents, including potential incidents occurring on third-party systems. The CIRT categorizes anomalous cybersecurity events into discrete levels in which cybersecurity events are escalated to appropriate levels of management, as well as our Cyber Incident Materiality Committee, Audit Committee, and Board, based on the severity of the incident. While typical cybersecurity management and incident response is provided by internal resources, we have arrangements with certain third parties whom we can engage if additional support and resources are required. Board of Directors’ Roles and Responsibilities The Audit Committee is responsible for oversight of the Company’s risk management and mitigation, including but not limited to the Company’s cybersecurity risks, and is regularly briefed by our CIO and CISO regarding the Company’s cybersecurity risk management program, cybersecurity incidents involving the Company, vendors, suppliers, subcontractors and other third parties, as well as associated mitigation actions taken, in order to assess and manage associated risks and potential harm and damages. The Audit Committee reports to the Board on cybersecurity risks to the Company on a periodic basis. Cybersecurity Threats Even with our extensive and systematic approach to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the cost related to cybersecurity threats or disruptions may not be fully insured. During the period covered by this Annual Report, we have not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or our financial condition. Future cybersecurity incidents could, however, materially affect our business strategy, results of operations, reputation, or financial condition. See Item 1A . , “Risk Factors,” for a discussion on cybersecurity risks and how they could materially affect the Company.

Company Information