COMTECH TELECOMMUNICATIONS CORP /DE/ 10-K Cybersecurity GRC - 2024-10-30

Page last updated on October 30, 2024

COMTECH TELECOMMUNICATIONS CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-30 17:30:48 EDT.

Filings

10-K filed on 2024-10-30

COMTECH TELECOMMUNICATIONS CORP /DE/ filed a 10-K at 2024-10-30 17:30:48 EDT
Accession Number: 0000023197-24-000104

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management Strategy and Program We identify and assess material risks from cybersecurity threats predominantly through the work of our Information Security (“InfoSec”) team as part of our enterprise risk management (“ERM”) process. Our ERM process is designed to identify and evaluate the full range of significant risks to Comtech. As part of our ERM program, our functional and operations departments identify and manage enterprise risks on an annual cycle. The process consists of structured reviews, discussions, and mitigation planning, and includes risks identified by our cybersecurity functions. The cybersecurity ERM process is administered by InfoSec with input from each business segment and function, continually monitors material cybersecurity risks facing Comtech, including cybersecurity threats and threats to our internal systems, our products, services and programs for customers, and our supply chain. Our CISO has extensive experience leading information technology for global organizations across communications, aerospace and defense, and works directly with our CEO, Chief Financial Officer, Executive Vice President (“EVP”) of Systems and IT Controls, and other members of senior management to assess cybersecurity threats as part of our ERM process. To manage and remediate cybersecurity risks identified as part of our ERM process and to manage emerging cybersecurity threats in real time; we have implemented a Managed Detection and Response system that supports the Security Operations Center. We are a member of the DoD Defense Industrial Base Collaborative Information Sharing Environment and the National Defense Information Sharing and Analysis Center. These organizations share real-time cybersecurity threat information and best practices in protecting, detecting, and recovering from cybersecurity threats. As a government contractor, we must comply with extensive cybersecurity regulations, including the DFARS related to adequately safeguarding controlled unclassified information and reporting cybersecurity incidents to the DoD. The policies and controls we have implemented to date reflect our adherence to these requirements and have been assessed by external organizations, including industry partners. Enterprise Cybersecurity Our enterprise cybersecurity program aligns with the National Institute of Standards and Technology (“NIST”) standards, among others, and includes processes and controls for the deployment of new IT systems by the Company and controls over new and existing systems operation. We monitor and conduct regular testing of these controls and systems, including vulnerability management through active discovery and testing to regularly assess patching and configuration status. In addition, we require our employees and contract workers to complete annual cybersecurity training, and we regularly conduct simulated phishing and cyber-related communications. Cybersecurity for U.S. Government Authorized Systems Our information technology systems used in connection with programs for the U.S. government align with the NIST standard and meet the requirements of 32 CFR Part 117 (National Industrial Security Program Operating Manual) and other applicable U.S. government guidance. The program includes authorizations and assessments of new and existing IT systems by our customers. We monitor use on these systems, including vulnerability management through patching and configuration. In addition, we restrict user access and require authorized users to complete additional user and cybersecurity training. 53 Third Party Service Providers We engage third party service providers to expand the capabilities and capacity of our cybersecurity program, including for design, monitoring and testing of the program’s risk prevention and protection measures and process execution, including incident detection, investigation, analysis and response, eradication and recovery. Management of Third-Party Risks Our suppliers, subcontractors and third-party service providers are subject to cybersecurity obligations and controls as aligned with DFARS and U.S. Federal Acquisition Regulations (“FARS”) requirements. We are making strides to ensure suppliers, subcontractors and third-party service providers are knowledgeable and aligned with DFARS and FARS requirements. We are also developing an enhanced program for our suppliers, subcontractors, and third-party service providers to agree to cybersecurity-related contractual terms and conditions of purchase to ensure their commitment to the mandates. Many of these contractors, suppliers or third parties are also subject to regulatory requirements in mandatory government procurement clauses, including those contained in the DFARS and FARS, which obligate adherence to a generally accepted cybersecurity framework, such as NIST, and occasional assessment of their implementation of cybersecurity controls as a condition of contract award or during contract performance. Finally, we require these third parties to notify us of cybersecurity incidents that impact us. Program Assessment We continuously evaluate and seek to improve and mature our cybersecurity processes and controls. Our cybersecurity program is regularly assessed through management self-evaluations and ongoing monitoring procedures to evaluate our program effectiveness, including vulnerability management through active discovery, and testing to validate patching and configuration. Additionally, our InfoSec function regularly assesses our program effectiveness through audits of our entities, systems, and processes to help maintain compliance with policies. As cybersecurity threats are continuously evolving, we also periodically engage with third parties to perform maturity assessments of our program to identify potential risk areas and improvement opportunities. This includes assessment of our overall program, policies and processes, compliance with regulatory requirements and an overall assessment of key vulnerabilities. We use these assessments to supplement our own evaluation of the overall effectiveness of our program and target improvement areas. Several external organizations also evaluate our enterprise cybersecurity program, including the U.S. Defense Contract Management Agency (“DCMA”) and Cybersecurity Maturity Model Certificate Third Party Assessment Organization. Moreover, some of our products are audited or reviewed for regulatory compliance certification pursuant to the relevant DoD risk management framework. Board Oversight and Management’s Role Our Board of Directors has primary oversight responsibilities for enterprise cybersecurity risks. The Technology, Innovation, and Cyber Committee of the Board of Directors also reviews enterprise cybersecurity risks in connection with its oversight of cybersecurity and compliance risks. Our CISO leads our enterprise cybersecurity program and is responsible for assessing and managing enterprise cybersecurity risks in coordination with the EVP of Systems and IT Controls. Our CISO regularly updates the Technology, Innovation and Cyber Committee and Board of Directors on cybersecurity risks as they relate to our information and operational technology systems and our suppliers and partners, as well as provides regular updates on enterprise cybersecurity incidents and key defenses and mitigation strategies. Our CISO regularly reviews enterprise cybersecurity risks, controls, program policy and processes, including training, oversees policy and program development, implementation, and updates, and informs senior leadership on cybersecurity-related issues and activities affecting the organization. Additionally, our CISO is regularly apprised of enterprise cybersecurity events, threats, and activities, including with respect to incidents, protection vulnerabilities, software update needs and lifecycle status.

Company Information