TransDigm Group INC 10-K Cybersecurity GRC - 2024-11-07

Page last updated on November 7, 2024

TransDigm Group INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-07 16:05:07 EST.

Filings

10-K filed on 2024-11-07

TransDigm Group INC filed a 10-K at 2024-11-07 16:05:07 EST
Accession Number: 0001260221-24-000083

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We have established a risk-based cybersecurity and information security program (“program”) designed to assess, identify, and manage material risks from cybersecurity threats. Our cybersecurity risk management process includes policies that specify the requirements for technical security controls, monitoring systems, tools and services from third-party providers, and employee training and awareness. Our cybersecurity risk management process also includes regular independent audits across our operating units. Management oversees our cybersecurity risk management process in order to assess and manage material risks from cybersecurity threats identified by both internal and external threat intelligence. Our program monitors and evaluates risks from cybersecurity threats, and we aim to adapt our program and related processes accordingly. As adopted by our businesses, which has been overseen by our corporate executive team, we have a cybersecurity incident response plan that outlines our policies and procedures for managing a cybersecurity incident. Our businesses are required to conduct regular exercises of their incident response plan as part of our program. The multi-layered framework on which our cybersecurity and information security program is built incorporates cybersecurity standards and certain requirements of the National Institute of Standards and Technology (“NIST”) Special Publication 800-171-Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations-along with other legal and regulatory requirements. However, this does not mean that we meet any particular technical standards, specifications, or requirements, but rather that we use NIST and other cybersecurity standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity and information security program is led by the Company’s Vice President of Cybersecurity (“VPoC”) who reports to our Chief Financial Officer. Our VPoC has served as a technology leader of cybersecurity, information security, infrastructure, and operational functions for over 35 years. The VPoC is supported by the Incident Response Team (“IRT”), a management committee made up of the Co-Chief Operating Officers, Chief Financial Officer, and executives in legal, finance, IT, and audit. The IRT supports the VPoC in assessing and managing risks from cybersecurity threats and in the event of a cybersecurity incident, provides oversight and leadership with respect to incident response. We have in place an incident response plan to identify, respond to, and recover from cybersecurity threats and cybersecurity incidents. In the event of a potentially material cybersecurity incident, as determined by the VPoC with support from legal, as needed, the IRT is notified through an established escalation protocol. The Chair of the Audit Committee is also notified and briefed, and meetings of the Audit Committee and/or full Board of Directors would be held as appropriate. We maintain a relationship with a third-party forensic vendor available for incident response and investigation. Additionally, we maintain cybersecurity insurance. The Company’s Board of Directors oversees our enterprise risk management (“ERM”) program and has delegated the primary responsibility for its oversight, which includes oversight of cybersecurity risk, to the Audit Committee. The Audit Committee is informed of about material risks from cybersecurity threats through regular discussion with management regarding cybersecurity risk mitigation and cybersecurity incident management. Executive management, including our VPoC, regularly presents to the Audit Committee regarding cybersecurity matters, including program updates, key metrics, and developments. The ERM program inventories and classifies key risk areas. We employ a methodology for scoring the risks based on the probability and impact of individual risks and discuss and implement countermeasures to address the risks. Based on the information we have as of the date of this Annual Report on Form 10-K, we do not believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For further information about risks related to cybersecurity threats, refer to Item 1A. “Risk Factors.”

Company Information