VIASAT INC 10-K Cybersecurity GRC - 2024-05-29

Page last updated on July 16, 2024

VIASAT INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-29 16:53:45 EDT.

Filings

10-K filed on 2024-05-29

VIASAT INC filed a 10-K at 2024-05-29 16:53:45 EDT
Accession Number: 0000950170-24-066031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYB ERSECURITY Viasat Cybersecurity Risk Management, Strategy and Governance Disclosure Viasat builds, maintains, and operates satellite and telecommunications systems, infrastructure and services used by both government and commercial customers across the globe. We recognize the importance of building a resilient cybersecurity program focused on reducing cybersecurity risk to our customers, partners and our own organization. Our Cybersecurity Engineering organization, at the direction of the Board of Directors, has developed and implemented a cybersecurity risk management and technical assistance program intended to protect the confidentiality, integrity and availability of the services provided and the information stored, processed or transmitted by our critical systems and infrastructure, while assisting staff to develop, operate and maintain secure products and services. Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated governance of cybersecurity and other technology risks to the Audit Committee (the Committee). Our management is ultimately responsible for assessing and managing risks from cybersecurity threats we face, and in this regard works closely with the Chief Information Security Officer (CISO) who reports to our Chief Corporate Officer. The Committee oversees our management’s design and implementation of our cybersecurity risk management program and receives periodic reports, at least semi-annually, from the CISO on cybersecurity risks, the threat landscape, and our cybersecurity planning roadmap. In addition, the CISO updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as other relevant incidents and potential or mitigated threats. The Committee reports to the Board of Directors regarding its activities, including those related to cybersecurity, and may request the CISO brief the Board of 39 Directors on the status of cybersecurity and risk management programs, as well as relevant incidents and threats. Board members also receive periodic presentations on key cybersecurity topics from the CISO. Our operational cybersecurity team is led by the CISO. The CISO has 31 years of experience in Information Technology and Security, with extensive experience designing, operating and protecting satellite and terrestrial telecommunications networks. The CISO also leads Viasat’s engagement with the private sector and government security communities, which includes facilitating active information sharing with these partners. With the Inmarsat acquisition, the Senior Vice President, Global Security of Inmarsat joined the cybersecurity team, bringing their experience including senior cybersecurity and intelligence roles within the UK Ministry of Defence and Central Government. The operational cybersecurity teams of both legacy organizations jointly participate in local and national cybersecurity organizations, teach classes on cybersecurity, maintain numerous relevant certifications, and participate in training relevant to their field of expertise. The cybersecurity risk management program at Viasat is centered around an internally developed set of security principles and requirements, known internally as our “Foundational Security Principles”. The Foundational Security Principles, which we seek to apply across our products and services to promote security resiliency and repeatability, represents a minimum baseline of information security requirements. These principles have a focus on secure-by-design approaches for new products and services, and provide the basis for risk-informed control implementations for legacy networks and systems. Our Foundational Security Principals are designed with reference to the current published version of industry frameworks including, but not limited to, NIST Cybersecurity Framework 2.0, International Standards Organization (ISO) 27001, Payment Card Industry (PCI) Data Security Standard (DSS), National Institute of Standards and Technology (NIST) 800-171, and tailored baselines of NIST 800-53. This does not imply that we have implemented each, or any specific, technical standard, specification or configuration embedded in these frameworks but rather that they collectively inform and guide our indentification, assessment and management of cybersecurity risks relevant to our businesses. Certain IT environments with higher risk or contractual, regulatory or customer requirements, or those environments where processing or storing sensitive types of information are required, are designed to comply with stricter sets of security requirements or security control frameworks. We recognize our recent acquisition of Inmarsat represents an opportunity to build on the existing cybersecurity risk programs incorporating and integrating the strengths of both legacy cybersecurity organizations. The Inmarsat Cybersecurity Team has historically been guided by the NIST Cybersecurity Framework. The legacy Viasat and Inmarsat cybersecurity organizations will report to Viasat’s CISO and are actively integrating the two legacy companies’ cybersecurity policies, processes, and operations, as well as combining the cybersecurity functions into a single organization, with appropriate focus on the overall Viasat and Inmarsat satellite service network integration activities. Functionally, our cybersecurity team performs internal and external risk assessments and testing on both internally and externally developed systems, as well as certain third-party and supply chain partner ecosystems based on our assessment of their respective operational criticality and risk profile. Depending on the risks presented, this may include some combination of manual and automation-driven testing methods and supply chain risk management activities such as hardware and software assurance assessments, anti-counterfeit measures, and the use of trusted suppliers. Compliance with security policies, procedures, and standards are assessed, and depending on the potential risks posed to us, third-party assessments may be performed, including penetration tests, red team engagements, gap assessments, and compliance certification assessments. We also conduct several 3rd party compliance and audit assessments, including PCI DSS Tier 1 Merchant and Service Provider, ISO27001, UK Cyber Essentials Plus, and DFARS 252.204-7012 High Assurance assessments. The cybersecurity team also closely collaborates with our physical security team on planning, risk assessment, and incident response where appropriate, as well as developing and delivering a joint annual security training and education program that engages our employees, appropriate partners and third parties in a security training program that incorporates both cybersecurity and physical security elements. Additionally, our annual security training program supports additional focused security training for personnel handling certain sensitive information such as, payment card information (PCI), controlled unclassified information (CUI), or personally identifiable information (PII). To better understand Viasat’s threat landscape we partner with multiple U.S. government agencies to acquire and share cybersecurity threat intelligence related to threats, vulnerabilities, indicators of compromise, and current, relevant threat information that are expected as a cleared defense contractor and active Defense Industrial Base (DIB) member. Partner entities include the Defense Cyber Crime Center (DC3), Defense Cybersecurity Information Sharing Environment (DCISE), DCMA, National Security Agency Cybersecurity Collaboration Center (NSA CCC), and Defense Counterintelligence and Security Agency (DCSA). Viasat is also an active participant in several Information Sharing and Analysis Centers, including the National Defense (ND-ISAC), Aviation (A-ISAC), and Space (Space ISAC) ISACs. 40 Our cybersecurity engineering teams have personnel dedicated to detection engineering activities that leverage threat intel gathered to mitigate the impact of security events. Security detection and operations teams are responsible for detection activities including 7x24 staffed Cybersecurity Operations Centers responsible for monitoring our service provider networks and internal corporate and development environments. Various automated tools are used for detection and remediation, with support from experienced detection and response analysts and engineers. When security events do occur, we employ a security incident response process that is designed to contain, eradicate, and recover operations as quickly as possible, while preserving forensic evidence for further analysis and potential attribution. We leverage multiple third parties for incident response and forensic support on retainer as necessary to assist during the incident response and remediation phases. We also maintain cybersecurity insurance in the event of cybersecurity related damages or data loss as a result of a cybersecurity incident or unauthorized data disclosure. During fiscal year 2024, we did not identify risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our operations, business strategy, results of operations, or financial condition. We face ongoing risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors - Our Reputation and Business Could Be Materially Harmed as a Result of Data Breaches, Data Theft, Unauthorized Access or Hacking” in Part I, Item 1A of this report. 41

Company Information