MOOG INC. 10-K Cybersecurity GRC - 2024-11-27

Page last updated on November 27, 2024

MOOG INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-27 08:57:47 EST.

Filings

10-K filed on 2024-11-27

MOOG INC. filed a 10-K at 2024-11-27 08:57:47 EST
Accession Number: 0000067887-24-000166

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy Our cybersecurity policies and reporting processes are designed so that members of our senior management receive timely and adequate information regarding cybersecurity matters that impact the Company, including threats and incident response. We have implemented an approach to assess, identify and manage cybersecurity risks within our overall enterprise risk management program that shares common methodologies, reporting channels and governance processes and is based on a recognized framework established by the National Institute of Standards and Technology. Cybersecurity risks, both internal and from third parties, are tracked regularly. We have established plans and procedures to guide us through an active threat or incident in order to return to normal business operations. We have developed a notification process to allow for real-time escalation of material cybersecurity incidents by and among members of our Corporate IT Security Team (“CIST”). We also maintain an Executive Cyber Incident Escalation Team (“ECIET”), which consists of our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), Chief Information Officer (“CIO”) and the Chief Information Security Officer (“CISO”). The ECIET meets annually to practice and refine our processes through tabletop exercises simulating cyberattacks for incident response, management and escalation at both technical and executive levels in order to maintain readiness to respond and to identify any areas where improvements or updates to our cybersecurity infrastructure or procedures are required. In addition, our IT infrastructure management program maintains an IT Crisis Response Plan (“ICRP”) where we have disaster recovery plans for key applications. The ICRP includes processes which address disruption of services that affect any IT services supplied by third-party vendors or service providers. Our IT infrastructure management program also ensures an initial risk assessment is conducted on all new third-party vendors prior to engagement. We regularly complete periodic assessments and testing of our practices to address cybersecurity threats and incidents by performing internal audits of internal processes and controls. We engage third-party expertise and utilize threat intelligence feeds to supplement and enhance our CIST of cybersecurity professionals. In addition, we require all employees to take several mandatory cybersecurity training courses on an annual basis. In the ordinary course of our business, we have experienced and expect to continue to experience, cyber-based attacks and other attempts to compromise our information systems. Based on the information we have as of the date of this Annual Report on Form 10-K, we do not believe that any risks from any cybersecurity threats or from any previous cybersecurity incident have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. Although our processes are designed to help prevent, detect, respond to and mitigate the impact of such incidents, whether directly or through our supply chain or other channels, we face a risk of such threats, the consequences of which could be material. Further, the preventative actions we have taken and continue to take to reduce the risk of cybersecurity threats and incidents may not successfully protect against these potential threats and incidents in the future. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” under the heading “We face, and may continue to face, risks related to information systems interruptions, intrusions and or new software implementations, which may adversely affect our business operations” for a discussion of cybersecurity risks. 18 Cybersecurity Governance Our Board of Directors (“Board”) is informed about cybersecurity risk matters pertaining to the Company and its operations as part of our overall enterprise risk assessment. At least annually, or more frequently as necessary, the Board receives cybersecurity briefings and is apprised of cybersecurity incidents deemed to pose significant risk to us. Our internal controls and procedures are designed to provide for the identification, notification, escalation and communication of cybersecurity incidents to management, including when appropriate to the Board, so that decisions regarding public disclosure and reporting of such incidents can be made in a timely manner. The CIST, led by our CISO, is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes that protect, detect and respond in the defense of our data and enterprise computing systems and networks. The CIST is supported by experienced and knowledgeable leaders, who each have several decades of experience managing risk at Moog or similar companies, including risks arising from cybersecurity threats. The CIST consists of several centers of expertise comprised of persons with many types of skills and ability, including security operations center analysts, cyber engineers, threat hunters, threat modelers, cyber risk and compliance professionals, and threat and vulnerability management analysts. Members of the CIST maintain cybersecurity credentials, such as Certified Information Security Manager, Certified Information Systems Security Specialist, CompTIA Security+ and cybersecurity Analyst+, EC-Council Certified Ethical Hacker, Computer Hacking Forensic Investigator, and several vendor product certifications including from Amazon Web Services, Microsoft and Qualys. We also perform annual internal assessments and audits of internal processes and controls related to cybersecurity and engage third-party experts to support the assessment of cybersecurity related risks, including cybersecurity penetration testing. The results of these assessments, audits and tests are reported to the CIO and CFO. In the event of a cybersecurity incident, we engage our Incident Response Plan, which outlines the steps to be followed regarding preparation, detection, analysis, containment, eradication, recovery, notification, and post-incident remediation. Notification includes informing functional areas (e.g., legal), as well as senior management and the Board, as appropriate. We also have an insider threat detection program to proactively identify internal threats and mitigate those threats in a timely manner. As a defense contractor, we must comply with extensive regulations, including requirements imposed by the Defense Federal Acquisition Regulation Supplement to adequately safeguard controlled unclassified information and reporting cybersecurity incidents to the Department of Defense’s Cybersecurity Maturity Model Certification program. Moog also shares and receives threat intelligence information with our defense industrial base peers, government agencies, information sharing and analysis centers and cybersecurity associations. The CISO and the CIO present cybersecurity updates regularly and, as necessary, to the CFO. The CFO will engage the Board to participate in assessing cybersecurity risk as part of the Company’s overall risk assessment. In addition, the Board is informed when a cybersecurity issue is identified that may pose significant risk to the Company. 19

Company Information