NORTHROP GRUMMAN CORP /DE/ 10-K Cybersecurity GRC - 2025-01-30

Page last updated on January 30, 2025

NORTHROP GRUMMAN CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-30 16:11:12 EST.

Filings

10-K filed on 2025-01-30

NORTHROP GRUMMAN CORP /DE/ filed a 10-K at 2025-01-30 16:11:12 EST
Accession Number: 0001133421-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. This process is supported by both management and our Board of Directors. In 2024, our global cybersecurity function was maintained in our Chief Information Office, led by our Chief Information Officer (CIO), who reported to our CEO. In 2025, we have brought together our chief information and digital transformation offices into a newly formed Chief Information and Digital Office, led by our Chief Information and Digital Officer (CIDO), who reports to the CEO. The Chief Information Security Officer (CISO) , who previously reported to the CIO, now reports to the CIDO and continues to lead our cybersecurity functions. The CISO is responsible for the assessment and management of cybersecurity risk and the resiliency, protection and defense of our networks and systems . The CISO leads a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, data protection, privacy, insider threats and regulatory compliance. The current CISO is an executive with extensive technical and operational experience in building and leading cybersecurity and resiliency teams in the industry and government. Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight . The full Board receives an update on the company’s risk management process and the risk trends related to cybersecurity at least annually. The Audit and Risk Committee specifically assists the Board in its oversight of risks related to cybersecurity . To help ensure effective oversight, the CISO briefs the Audit and Risk Committee on the company’s information security and cybersecurity risk posture at least four times a year. In addition, the company’s Enterprise Risk Management Council (ERMC) considers risks relating to cybersecurity, among other significant risks, and applicable mitigation plans to address such risks. The ERMC is comprised of the Executive Leadership Team, as well as the Chief Accounting Officer, Chief Ethics and Compliance Officer, Corporate Secretary, Chief Sustainability Officer, Treasurer and Vice President, Internal Audit. The CISO and the CIDO (previously the CIO) attend each ERMC meeting. The ERMC meets during the year and receives periodic updates from the CIDO and CISO on cybersecurity risks. We have an established process governing our response to a cybersecurity incident from detection to mitigation, recovery, assessment, internal and external notifications and functional stakeholder engagements with legal, privacy and risk management, among others. Depending on the nature and severity of an incident, this process provides for escalating notification to our CEO and the Board (including our Lead Independent Director and the Audit and Risk Committee chair), as appropriate. Our approach to cybersecurity risk management includes the following key elements: - Multi-Layered Defense and Continuous Monitoring - We work to protect our computing environments and products from cybersecurity threats through multi-layered defenses and apply lessons learned from our defense and monitoring efforts to help prevent future attacks. We utilize data analytics to detect anomalies and search for cyber threats. Our Cybersecurity Operations Center provides comprehensive cyber threat detection and response capabilities and maintains a 24x7 monitoring system which complements the technology, processes and threat detection techniques we use to monitor, manage and mitigate cybersecurity threats or vulnerabilities. From time to time, we engage third-party consultants or other advisors to assist in assessing, identifying and/or managing cybersecurity threats. We also periodically use our Internal Audit function to conduct additional reviews and assessments. - Insider Threats - We maintain an insider threat program, led by our Vice President, Corporate and Enterprise Security, designed to identify, assess, and address potential risks from within our company. Our -21- NORTHROP GRUMMAN CORPORATION program evaluates potential risks consistent with industry practices, customer requirements and applicable law, including privacy and other considerations. - Information Sharing and Collaboration - We work with government, customer, industry and/or supplier partners, such as the National Defense Information Sharing and Analysis Center and other government-industry partnerships, to gather and develop best practices and share information to address cyber threats. These relationships enable the rapid sharing of threat and vulnerability mitigation information across the defense industrial base and supply chain. - Third Party Risk Management - We conduct cybersecurity assessments before sharing or allowing the hosting or processing of sensitive data in computing environments managed by third parties, and our standard terms and conditions contain contractual provisions requiring certain cybersecurity and data protections and controls. Finally, we require these third parties to notify us promptly of cyber incidents or data breaches so that we can assess potential impact on us. - Training and Awareness - We provide annual cybersecurity and information security awareness training to our employees with network access to help identify, avoid and mitigate cybersecurity threats and insider risks. This training also includes awareness about the policies and guidance associated with data privacy and protection of personal information, and protection and security of our company, customer and other third-party data. Our employees with network access also participate in annual spear phishing exercises. We also periodically host cybersecurity and ransomware tabletop exercises with management and other company functional stakeholders to practice rapid cyber incident response. - Supplier Engagement - We provide training and other resources to our suppliers to support cybersecurity resiliency and data security principles in our supply chain. We also require our suppliers, subcontractors and third-party service providers to comply with our standard cybersecurity-related terms and conditions, in addition to any requirements from our customers, as a condition of doing business with us, and require them to complete information security questionnaires to review and assess any potential cyber-related risks depending on the nature of the services or products being provided. - Third Party Cybersecurity Service Providers - We engage third party service providers to expand the capabilities and capacity of our cybersecurity program, including for design, monitoring and testing of the program’s risk prevention and protection measures and process execution, including incident detection, investigation, analysis and response, eradication and recovery. Additionally, several external entities evaluate our cybersecurity program, including the U.S. Defense Contract Management Agency, the Defense Industrial Base Cybersecurity Assessment Center and a Cybersecurity Maturity Model Certification Third Party Assessment Organization , to assess and certify our cybersecurity regulatory compliance. We also engage with external auditors and consultants who conduct audits and assessments of our cybersecurity controls. - Product Security - We provide cyber threat intelligence to, and collaboration with, our product security teams and share expertise in cyber vulnerability, exploit and resilience technology that can be applied to network infrastructure and company product offerings. While we have experienced cybersecurity incidents in the past, to date none have materially affected the company or our financial position, results of operations and/or cash flows. We continue to invest in the cybersecurity and resiliency of our networks and products and to enhance our internal controls and processes, which are designed to help protect our programs, systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see “Risk Factors.” FORWARD-LOOKING STATEMENTS AND PROJECTIONS This Annual Report on Form 10-K and the information we are incorporating by reference contain statements that constitute “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995. Words such as “will,” “expect,” “anticipate,” “intend,” “may,” “could,” “should,” “plan,” “project,” “forecast,” “believe,” “estimate,” “guidance,” “outlook,” “trends,” “goals” and similar expressions generally identify these forward-looking statements. Forward-looking statements include, among other things, statements relating to our future financial condition, results of operations and/or cash flows. Forward-looking statements are based upon assumptions, expectations, plans and projections that we believe to be reasonable when made, but which may change over time. These statements are not guarantees of future performance and inherently involve a wide range of risks and uncertainties that are difficult to predict. Specific risks that could cause actual results to differ materially from those expressed or implied in these forward-looking statements include, but are not limited to, those identified -22- NORTHROP GRUMMAN CORPORATION under “Risk Factors” and other important factors disclosed in this report and from time to time in our other filings with the SEC. They include: Industry and Economic Risks - our dependence on the U.S. government for a substantial portion of our business - significant delays or reductions in appropriations and/or for our programs, and U.S. government funding and program support more broadly, including as a result of a prolonged continuing resolution and/or government shutdown, and/or related to the global security environment or other global events - significant delays or reductions in payments as a result of or related to a breach of the debt ceiling - the use of estimates when accounting for our contracts and the effect of contract cost growth and our efforts to recover or offset such costs and/or changes in estimated contract costs and revenues, including as a result of inflationary pressures, labor shortages, supply chain challenges and/or other macroeconomic factors, and risks related to management’s judgments and assumptions in estimating and/or projecting contract revenue and performance which may be inaccurate - increased competition within our markets and bid protests - continued pressures from macroeconomic trends, including on costs, schedules, performance and ability to meet expectations Legal and Regulatory Risks - investigations, claims, disputes, enforcement actions, litigation (including criminal, civil and administrative) and/or other legal proceedings - changes in procurement and other laws, SEC, DoD and other rules and regulations, contract terms and practices applicable to our industry, findings by the U.S. government as to our compliance with such requirements, more aggressive enforcement of such requirements and changes in our customers’ business practices globally - the improper conduct of employees, agents, subcontractors, suppliers, business partners or joint ventures in which we participate, including the impact on our reputation and our ability to do business - environmental matters, including climate change, unforeseen environmental costs and government and third-party claims - unanticipated changes in our tax provisions or exposure to additional tax liabilities Business and Operational Risks - cyber and other security threats or disruptions faced by us, our customers or our suppliers and other partners, and changes in related regulations - the performance and viability of our subcontractors and suppliers and the availability and pricing of raw materials, chemicals, parts and components, particularly with inflationary pressures, increased costs, shortages in labor and financial resources, supply chain disruptions, and extended material lead times - our ability to attract and retain a qualified and talented workforce with the necessary security clearances to meet our performance obligations - our exposure to additional risks as a result of our international business, including risks related to global security, geopolitical and economic factors, misconduct, suppliers, laws and regulations - natural disasters, epidemics, pandemics and similar outbreaks and other significant disruptions - our ability to innovate, develop new products and technologies, progress and benefit from digital transformation and maintain technologies to meet the needs of our customers - products and services we provide related to hazardous and high risk operations, including the production and use of such products, which subject us to various environmental, regulatory, financial, reputational and other risks - our ability appropriately to protect and exploit intellectual property rights -23- NORTHROP GRUMMAN CORPORATION General and Other Risk Factors - the adequacy and availability of, and ability to obtain, insurance coverage, customer indemnifications or other liability protections - the future investment performance of plan assets, gains or losses associated with changes in valuation of marketable securities related to our non-qualified benefit plans, changes in actuarial assumptions associated with our pension and other postretirement benefit plans and legislative or other regulatory actions impacting our pension and postretirement benefit obligations - changes in business conditions that could impact business investments and/or recorded goodwill or the value of other long-lived assets, and other potential future liabilities You are urged to consider the limitations on, and risks associated with, forward-looking statements and not unduly rely on the accuracy of forward-looking statements. These forward-looking statements speak only as of the date this report is first filed or, in the case of any document incorporated by reference, the date of that document. We undertake no obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events or otherwise, except as required by applicable law.

Company Information