MERCURY SYSTEMS INC 10-K Cybersecurity GRC - 2024-08-13

Page last updated on August 13, 2024

MERCURY SYSTEMS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-13 17:08:59 EDT.

Filings

10-K filed on 2024-08-13

MERCURY SYSTEMS INC filed a 10-K at 2024-08-13 17:08:59 EDT
Accession Number: 0001049521-24-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We assess and identify material risks from cybersecurity threats primarily through the work of our Chief Information Officer (“CIO”) as part of our enterprise risk management (“ERM”) process. The ERM process, administered by management with input from business leaders and our global and corporate functions, monitors material risks facing Mercury, including cybersecurity threats. Our CIO works directly with our CFO and other members of senior management to assess cybersecurity threats as part of the ERM process. Our CIO oversees the internal cybersecurity organization headed by our Chief Information Security Officer (our “Cybersecurity Team”). Risks related to cybersecurity threats are reflected in an enterprise risk “heat map,” along with other material risks identified through the ERM process, and any mitigation plans developed to manage such risks are reported to our Board of Directors. We could be negatively impacted by a security breach, through a cyber-attack, cyber intrusion, insider threat, supply chain incident, or other significant disruption of our IT networks and related systems. See “Item 1A - Risk Factors” in this Annual Report for a further discussion of specific risks related to cybersecurity threats. Our Cybersecurity Team monitors activity, scans applications and systems for vulnerabilities to risk from cybersecurity threats, and creates action plans to address and track identified cybersecurity threats until they have been remediated. Activities and cybersecurity incidents are reported to our cyber critical incident response team and to our CIO, who briefs our Compliance Committee, a dedicated committee of senior management focused on regulatory compliance. Our Cybersecurity Team also routinely engages with third parties, including government agencies focused on cyber resiliency, to manage risks from cybersecurity threats. For example, we are members of the DoD Defense Industrial Base Collaborative Information Sharing Environment, the National Defense Information Sharing and Analysis Center, and the National Security Agency Enduring Security Framework as well as Infragard, a partnership between the FBI and members of the private sector for the protection of U.S. critical infrastructure. These organizations share real-time cybersecurity threat information and best practices in protecting, detecting, and recovering from cybersecurity threats. We maintain an insider threat program designed to identify, assess, and address potential internal risks from within our Company. Our program evaluates potential risks consistent with industry practices, customer requirements and applicable law, including privacy and other considerations. As a government contractor, we must comply with extensive cybersecurity regulations, including the Defense Federal Acquisition Regulation Supplement related to adequately safeguarding controlled unclassified information and reporting cybersecurity incidents to the DoD. Our policies and implemented controls reflect our adherence to these requirements. Additionally, as part of our processes to manage risks related to a breach in our information systems, management requires employees to take cybersecurity trainings and shares regular awareness updates regarding cybersecurity threats. Our Cybersecurity Team regularly tests employees throughout the year to assess the effectiveness of our cybersecurity training. We also conduct penetration testing of our network, hold tabletop exercises of cyber incidents, and undertake cybersecurity assessments to improve our risk mitigation and assist in the determination of a potential material impact caused by a cybersecurity incident. Our Board of Directors provides oversight of our ERM process and other guidelines and policies governing the processes by which our CEO and senior management assess our exposure to risk, including risk from cybersecurity threats. Our management Compliance Committee receives briefings from our CIO, Chief Information Security Officer, and other members of senior management on cybersecurity threats and related matters and assists the Board in its oversight and review of our ERM process. Our management Compliance Committee reviews our cybersecurity risk across the enterprise and our cybersecurity strategy framework and operational posture. The Compliance Committee also reviews our IT, data security and other systems, processes, policies, procedures and controls to (a) identify, assess, monitor, and mitigate cybersecurity risks; (b) identify measures to protect and safeguard against cybersecurity threats and breaches of confidential information and data and IT infrastructure and our other assets or assets of our customers or other third parties in our possession or custody; (c) support the response and management of cybersecurity threats and data breach incidents; and (d) aid in compliance with legal and regulatory requirements governing cybersecurity or data security reporting requirements. To date, we have not experienced any cybersecurity incidents that have had a material affect on the Company or our financial position, results of operations and/or cash flows. We continue to invest in cybersecurity and enhance the resiliency of our networks and to strengthen our internal controls and processes, which are designed to help protect our systems and infrastructure, and the data they contain. For more information regarding the risks we face from cybersecurity threats, please see “Risk Factors.”

Company Information