TRIUMPH GROUP INC 10-K Cybersecurity GRC - 2024-05-31

Page last updated on July 16, 2024

TRIUMPH GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-31 16:45:34 EDT.

Filings

10-K filed on 2024-05-31

TRIUMPH GROUP INC filed a 10-K at 2024-05-31 16:45:34 EDT
Accession Number: 0000950170-24-067390

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy Our cybersecurity program is designed to safeguard our information systems and protect confidentiality, integrity, and availability of those information systems and the information residing therein. Our cybersecurity risk management program is integrated with our broader enterprise risk management programs under the oversight of our Chief Administrative Officer (“CAO”) and the Enterprise Risk Management Committee. The CAO reports to the CEO and is responsible for our overall information and data security strategy, cybersecurity risk policies and procedures, as well as evaluating and managing any material risks from cyber threats. Our Chief Information Security Officer (“CISO”) reports directly to our CAO and leads our cybersecurity and compliance department. The cybersecurity and compliance department, in conjunction with our Computer Security Incident Response Team (“CSIRT”), designs, implements, and executes continuous monitoring processes for our information systems. Our monitoring programs include the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. The CSIRT is responsible for the detection and assessment of cybersecurity threats and incidents in accordance with a formal risk assessment matrix established in cooperation with our Cybersecurity Disclosure Committee. This risk assessment matrix establishes a framework for notification of an incident to the Cybersecurity Disclosure Committee and, if appropriate, the Audit Committee or Board of Directors. The CISO also partners with internal functions such as finance, legal, and internal audit, as well as third-party consultants who perform risk-based assessments against the National Institute of Standards and Technology (“NIST”) 800-171 Rev2 and Cybersecurity Maturity Model Certification with recommendations, in designing, implementing, executing, monitoring, and improving our cybersecurity risk management program and strategy, helping ensure such programs and strategy align with our business and operational objectives. Results of third-party assessments are shared with the Audit Committee or Board of Directors. In the event of a cybersecurity incident, the CSIRT has an Incident Response Plan that outlines the steps that are designed to help ensure regulatory requirements are met and cyber vulnerabilities, if any, are addressed. We periodically conduct “tabletop” exercises to simulate cybersecurity incidents and help ensure that we are prepared to respond to such incidents in accordance with our internal policies and programs, as well as applicable laws and regulations. In addition, tabletop exercises allow us to identify areas for potential improvement and maturation of our Incident Response Plan, or other aspects of our cybersecurity risk 21 management program. These exercises have included participation by members of our Cybersecurity Disclosure Committee, including our CAO and Chief Financial Officer. We have established a supply chain risk management program, which is a cross-functional program that forms part of our Enterprise Risk Management program and is supported by our security, compliance, and supply chain organizations. Through this evolving program, we assess the risks from cybersecurity threats that impact suppliers and third-party service providers with whom we share personal identifying and confidential information. We continue to assess and evolve our oversight processes to mature how we manage cybersecurity risks associated with the products and services we procure. We generally require our suppliers to adopt security practices based on industry-recognized standards. We have experienced, and may experience in the future, either directly or through our supply chain or other channels, cybersecurity incidents. To date, we are not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For additional information about risks associated with cybersecurity, refer to “Our business could be negatively affected by cyber or other security threats or other disruptions” in Item 1A. Risk Factors. Governance Our Board of Directors has overall responsibility for risk oversight and has delegated oversight of cybersecurity risks to the Audit Committee. The Audit Committee reports on its activities, findings, and other matters to the full Board of Directors quarterly, or more frequently as events or circumstances may require. The Audit Committee is charged with reviewing our cybersecurity processes for assessing key strategic, operational, and compliance risks. The CAO and CISO present an update to the Audit Committee on our cybersecurity risks and risk management strategies and processes at each regularly scheduled, quarterly meeting. These presentations include assessments on the threat landscape; emerging risks, threats, or vulnerabilities; updates on our risk management activities, including investments in risk mitigation and governance; compliance with laws and regulations; internal controls; and updates on incidents. At the management level, we have established two committees that are directly involved in managing and responding to cybersecurity risks and incidents: the Enterprise Risk Management Committee and the Cybersecurity Disclosure Committee. The Enterprise Risk Management Committee is responsible for assessing enterprise risk and overseeing our enterprise risk management programs, including the cybersecurity risk management programs described above. The Cybersecurity Disclosure Committee is a subcommittee of our Disclosure Committee and is responsible for assessing the materiality of identified cybersecurity incidents resulting from our monitoring programs described above and informing the Chair of the Audit Committee, the Audit Committee, or the Board of Directors, as appropriate. The CISO has responsibility for notifying the CAO and the Cybersecurity Disclosure Committee of potentially material cybersecurity incidents based on an established policy and risk assessment matrix that incorporates an evaluation of quantitative and qualitative factors such as potential impact on results of operations and financial condition, compliance with laws and regulations, and impact on key stakeholders such as employees and business partners. The CISO has over fifteen years of cybersecurity risk management experience and has served the Company for over twenty years in various roles involving managing information technology, security and compliance functions, including developing key enterprise capabilities such as security engineering and strategies on information security risk management. The CAO and Chief Financial Officer are members of both the Enterprise Risk Management Committee and the Cybersecurity Disclosure Committee and are supported by our information security, compliance, contracts, treasury, investor relations, operations, and supply chain organizations so that identified issues can be addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required.

Company Information