RTX Corp 10-K Cybersecurity GRC - 2025-02-03

Page last updated on February 3, 2025

RTX Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-03 17:21:23 EST.

Filings

10-K filed on 2025-02-03

RTX Corp filed a 10-K at 2025-02-03 17:21:23 EST
Accession Number: 0000101829-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As a global aerospace and defense company serving commercial and government customers in the aerospace industry and domestic and international military and government customers as a defense contractor, we are the target of advanced and persistent cyber-attacks from a variety of sources. Our products and services are highly sophisticated and specialized, involve complex advanced technologies including information technology (IT) systems, and process, store, or transmit highly sensitive unclassified and classified information. Moreover, our products and services are often integrated with third-party products and services. Cybersecurity threats include attacks on, or other attempts to infiltrate, our IT infrastructure and the IT infrastructure of our customers, suppliers, subcontractors, and other third parties, attempting to gain unauthorized access to our confidential or other proprietary information, classified information, or information relating to our employees, customers, and other third parties, or to disrupt our systems or the systems of our customers, suppliers, subcontractors, and other third parties. Cybersecurity threats also include attempts to infiltrate our products or services, such as attacks targeting the security, confidentiality, integrity or availability of the hardware, software and information installed, stored, or transmitted in our products, which may occur after the purchase of those products or when they are incorporated into third-party products, facilities, or infrastructure. Our Cybersecurity Program Given the nature of our business and the cybersecurity risks we face, we have a robust cybersecurity program for identifying, assessing, and managing cybersecurity risks, which include material risks from cybersecurity threats, to our internal systems, our products, services and programs for customers, and our supply chain. Our cybersecurity program is made up of two components: our enterprise cybersecurity program and our cybersecurity program for our products and services. Enterprise Cybersecurity. Our enterprise cybersecurity program aligns with the National Institute of Standards and Technology (NIST) standards. Our program includes processes and controls for the deployment of new IT systems by the Company and controls over new and existing system operation. We monitor and conduct regular testing of these controls and systems, including vulnerability management through active discovery and testing to regularly assess patching and configuration status. In addition, we require our employees and contract workers to complete annual cybersecurity training, and we regularly conduct simulated phishing and cyber-related communications to educate individuals on the latest threats. Product and Services Cybersecurity. Our product development processes apply development, security, and operations principles aligned with applicable government and commercial standards, and include vulnerability scanning and static and dynamic composition analysis. We regularly assess our product development processes, product cyber maturity, and the teams providing our secure services in relation to cybersecurity. In addition, we strive to meet all security requirements mandated by government and commercial customers and adhere to regulatory guidance and standards for system security engineering. Many of our products also undergo industry audits and regulatory compliance certifications, and our products delivered to the Department of Defense (DoD) must comply with DoD risk management requirements. Cybersecurity for Systems used in Support of U.S. Government Customers. With respect to products and services provided to, and IT systems used in connection with programs for, the U.S. government, our cybersecurity program aligns with the NIST standards and meets the requirements of 32 CFR Part 117 and other applicable U.S. government guidance. The program includes authorization and assessment of new and existing IT systems by our customers and third parties. We monitor use on these systems, including vulnerability management through patching and configuration. In addition, we restrict user access and require authorized users to complete additional user and cybersecurity training. Incident Response. Our cybersecurity program includes monitoring for potential security threats that may lead to exploitation of vulnerabilities. We evaluate and assign severity levels to incidents, escalate and engage incident response teams based on severity, and manage and mitigate the related risks. Incidents are reported internally to members of senior management and the Board of Directors as appropriate based on severity and incident type and are also analyzed for external reporting requirements. Our incident management process is designed to coordinate functions to enable continuity of essential business operation in the event of a cyber crisis. Third-Party Service Providers. We engage third party service providers to expand the capabilities and capacity of our cybersecurity program, including for design, monitoring, and testing of the program’s risk prevention and protection measures, and process execution including incident detection, investigation, analysis and response, eradication, and recovery. Management of Third-Party Risks. Our suppliers, subcontractors, and other third-party service providers are subject to cybersecurity obligations and controls. We assess and periodically reassess the cybersecurity posture of third-party service providers who store, process, or transmit our information as a service, or connect to our networks. We also require our suppliers, subcontractors, and other third-party service providers to agree to cybersecurity-related contractual terms and conditions of purchase. Many of these third parties are also subject to regulatory requirements in mandatory government procurement clauses, including those contained in the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). Among other things, mandatory government procurement clauses obligate adherence to a generally accepted cybersecurity framework, such as NIST, and occasional assessment of the implementation of cybersecurity controls as a condition of contract award or during contract performance. Finally, we require these third parties to notify us of cybersecurity incidents that impact us. Program Assessment. We continuously evaluate and seek to improve and mature our cybersecurity processes. Our cybersecurity program is regularly assessed through management self-evaluation and ongoing monitoring procedures to evaluate our program effectiveness, including assessments associated with internal controls over financial reporting as well as vulnerability management through active discovery and testing to validate patching and configuration. Additionally, our Internal Audit function regularly assesses our program effectiveness through audits of our systems and processes to help maintain compliance with policies. As cybersecurity threats are continuously evolving, we also periodically engage with third parties to perform maturity assessments of our program to identify potential risk areas and improvement opportunities. This includes assessment of our overall program, policies and processes, compliance with regulatory requirements, and assessment of key vulnerabilities. We use these assessments to supplement our own evaluation of the overall health of our program and target improvement areas. Several external organizations also evaluate our enterprise cybersecurity program, including the Defense Contract Management Agency (DCMA) and Cybersecurity Maturity Model Certification Third-Party Assessment Organization. Moreover, some of our products are audited or reviewed for regulatory compliance certification pursuant to the relevant DoD risk management framework. Board Oversight and Management’s Role Enterprise Cybersecurity. Our Board of Directors has primary oversight responsibility for enterprise cybersecurity risks. The Special Activities Committee of the Board supports the Board in oversight of classified business cybersecurity, including with respect to Company internal information and operational technology systems. The Audit Committee also considers enterprise cybersecurity risks in connection with its financial and compliance risk oversight role. Our global chief information security officer (CISO) , under the direction of our chief digital officer, leads our enterprise cybersecurity program and is responsible for assessing and managing enterprise cybersecurity risks. Our CISO regularly updates the Board of Directors on cybersecurity risks as they relate to our information and operational technology systems, our suppliers, and other third-party service providers, in addition to updates on enterprise cybersecurity incidents and key Company defenses and mitigation strategies. Our CISO is an experienced cybersecurity senior executive with more than 25 years’ experience building and leading cybersecurity, risk management, and IT teams. In performing his role, he regularly reviews enterprise cybersecurity risks, controls, program policy, and processes, including training, oversees policy and program development, implementation and updates, and informs senior leadership on cybersecurity-related issues and activities affecting the organization. Our CISO is regularly apprised of enterprise cybersecurity events, threats, and activities, including with respect to incidents, protection vulnerabilities, software update needs, and lifecycle status. Product and Services Cybersecurity. The Special Activities Committee of our Board of Directors has primary oversight responsibility for cybersecurity risks related to our products and services. The full Board of Directors also receives periodic briefings from management regarding the Company’s products and services cybersecurity risks. The Audit Committee also considers product and services cybersecurity risks in connection with its financial and compliance risk oversight role. Our product cybersecurity officer (PCO), under the direction of our chief technology officer, leads our cybersecurity program for our products and services and is responsible for assessing and managing related cybersecurity risks. Our PCO updates the Special Activities Committee on cybersecurity risks as they relate to our products and services, in addition to updates on product and service cybersecurity incidents, defenses, and mitigation strategies. Our PCO is an experienced embedded systems engineer and chief engineer with nearly 20 years’ experience in the development, product assurance, and security of critical and highly regulated embedded and other computer systems in medical, aviation, and military products and services. In performing her role, she regularly reviews cybersecurity risks, controls, program policy and processes, including training, and oversees and advises teams performing policy and program development, implementation, and updates. Our PCO is regularly apprised of product and service cybersecurity events, threats, and activities including with respect to incidents, protection vulnerabilities, software update needs, and lifecycle status. Enterprise Risk Management Our cybersecurity risk processes are a key element of our Enterprise Risk Management (ERM) process, which is designed to identify and evaluate the full range of significant risks to RTX. As part of our ERM program, RTX’s functional and operations departments identify and manage enterprise risks on an annual cycle. The process consists of structured reviews, discussions, and mitigation planning, and includes risks identified by our Enterprise Cybersecurity and Product Cybersecurity functions as part of the overall review of significant risks to RTX. The top ERM risks are compiled annually and shared with the Audit Committee of the Board of Directors as well as the full Board of Directors. In addition, Internal Audit incorporates these risks into its continuous risk assessment process and periodically audits specific ERM risks. For more information on risks related to cybersecurity, see Item IA. “Risk Factors” of this Form 10-K.

Company Information