Page last updated on February 11, 2025
DELTA AIR LINES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 17:02:24 EST.
Company Summary
Delta Air Lines is one of the major airlines of the United States and a legacy carrier headquartered in Atlanta, Georgia. It is the United States’ oldest operating airline and the seventh-oldest operating worldwide. (Source: Wikipedia)
Filings
10-K filed on 2025-02-11
DELTA AIR LINES, INC. filed a 10-K at 2025-02-11 17:02:24 EST
Accession Number: 0000027904-25-000004
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity ITEM 1C. CYBERSECURITY We are committed to safeguarding our information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Our program to protect our information assets and the management of risks to those assets supports the confidentiality, integrity, and availability of the information necessary to our long-term business success. Risk Management & Strategy Our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our Enterprise Risk Management (“ERM”) framework. Our information security and ERM teams coordinate to regularly review and assess these risks using a wide range of tools and services. Our cybersecurity program leverages components from several industry frameworks and generally recognized best practices, including International Organization for Standardization 27001 and National Institute of Standards and Technology (“NIST”) standards, such as the NIST Cybersecurity Framework, which emphasizes identification, protection, detection, response and recovery. We regularly assess our information security program capabilities and tools to improve reliability, enhance capabilities and scan our environment for vulnerabilities and weaknesses. Our information technology teams are trained to remediate vulnerabilities identified within established timeframes and our information security team reports to management on a weekly basis regarding the security risk posture of our information technology assets. We have established a dedicated Information Technology Risk team tasked with the goal of ensuring that risk remediation activities are carried out consistently and that risk remediation controls are operating as intended and within established thresholds. Enterprise-wide training is a vital component to reducing risk and protecting customers, employees and company information. We expect all Delta employees and third-party contractors to adhere to information security and privacy policies as they handle corporate and customer information in their daily jobs. As a result, we require all employees and contractors with access to Delta’s information to complete annual training, which is updated as new technology, security and privacy issues emerge. All new employees are required to complete training within 30 days of hire. We also conduct, at least annually, other training and employee education activities, including through awareness programs and campaigns. We engage assessors, consultants, auditors and other third parties to perform assessments of our cybersecurity program with the intent to identify areas for continued improvement, as well as to ensure ongoing compliance with regulatory requirements to which we are subject. In connection with certain regulatory requirements, we are required to engage third parties to assess our cybersecurity controls. Our cybersecurity program is subject to TSA requirements applicable to certain TSA-regulated airport and aircraft operators, including the requirement to develop a TSA-approved implementation plan describing measures we are taking to improve cybersecurity and to assess the effectiveness of those measures on an ongoing basis. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our data or our systems. Third-party risks are included within our risk assessment of vendors, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits. We regularly test our incident response processes through table-top exercises to ensure they continue to be effective as our business and the cybersecurity threat landscape evolve. Our incident response processes are designed to guide the actions we take to prepare for, detect, respond to and recover from cybersecurity incidents. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. We describe whether and how risks related to cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference in this Item 1C. Delta Air Lines, Inc. | 2024 Form 10-K 27 Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer at least twice per year with additional updates as requested by the Chair of the Audit Committee. In 2024, the Audit Committee received updates on information security matters at two of its regular meetings. In addition, our Chief Information Officer, our Chief Information Security Officer, other members of our information technology leadership team provided a general overview of information technology matters, including cybersecurity, in a special session with all members of our Board of Directors. In addition to information provided in these meetings, members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer , who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Risk Council and Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2024 Form 10-K 28
ITEM 1C. CYBERSECURITY We are committed to safeguarding our information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Our program to protect our information assets and the management of risks to those assets supports the confidentiality, integrity, and availability of the information necessary to our long-term business success. Risk Management & Strategy Our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our Enterprise Risk Management (“ERM”) framework. Our information security and ERM teams coordinate to regularly review and assess these risks using a wide range of tools and services. Our cybersecurity program leverages components from several industry frameworks and generally recognized best practices, including International Organization for Standardization 27001 and National Institute of Standards and Technology (“NIST”) standards, such as the NIST Cybersecurity Framework, which emphasizes identification, protection, detection, response and recovery. We regularly assess our information security program capabilities and tools to improve reliability, enhance capabilities and scan our environment for vulnerabilities and weaknesses. Our information technology teams are trained to remediate vulnerabilities identified within established timeframes and our information security team reports to management on a weekly basis regarding the security risk posture of our information technology assets. We have established a dedicated Information Technology Risk team tasked with the goal of ensuring that risk remediation activities are carried out consistently and that risk remediation controls are operating as intended and within established thresholds. Enterprise-wide training is a vital component to reducing risk and protecting customers, employees and company information. We expect all Delta employees and third-party contractors to adhere to information security and privacy policies as they handle corporate and customer information in their daily jobs. As a result, we require all employees and contractors with access to Delta’s information to complete annual training, which is updated as new technology, security and privacy issues emerge. All new employees are required to complete training within 30 days of hire. We also conduct, at least annually, other training and employee education activities, including through awareness programs and campaigns. We engage assessors, consultants, auditors and other third parties to perform assessments of our cybersecurity program with the intent to identify areas for continued improvement, as well as to ensure ongoing compliance with regulatory requirements to which we are subject. In connection with certain regulatory requirements, we are required to engage third parties to assess our cybersecurity controls. Our cybersecurity program is subject to TSA requirements applicable to certain TSA-regulated airport and aircraft operators, including the requirement to develop a TSA-approved implementation plan describing measures we are taking to improve cybersecurity and to assess the effectiveness of those measures on an ongoing basis. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our data or our systems. Third-party risks are included within our risk assessment of vendors, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits. We regularly test our incident response processes through table-top exercises to ensure they continue to be effective as our business and the cybersecurity threat landscape evolve. Our incident response processes are designed to guide the actions we take to prepare for, detect, respond to and recover from cybersecurity incidents. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. We describe whether and how risks related to cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference in this Item 1C. Delta Air Lines, Inc. | 2024 Form 10-K 27 Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer at least twice per year with additional updates as requested by the Chair of the Audit Committee. In 2024, the Audit Committee received updates on information security matters at two of its regular meetings. In addition, our Chief Information Officer, our Chief Information Security Officer, other members of our information technology leadership team provided a general overview of information technology matters, including cybersecurity, in a special session with all members of our Board of Directors. In addition to information provided in these meetings, members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer , who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Risk Council and Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2024 Form 10-K 28 Item 2. Properties
Item 1C. Delta Air Lines, Inc. | 2024 Form 10-K 27 Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer at least twice per year with additional updates as requested by the Chair of the Audit Committee. In 2024, the Audit Committee received updates on information security matters at two of its regular meetings. In addition, our Chief Information Officer, our Chief Information Security Officer, other members of our information technology leadership team provided a general overview of information technology matters, including cybersecurity, in a special session with all members of our Board of Directors. In addition to information provided in these meetings, members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer , who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Risk Council and Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2024 Form 10-K 28 Item 2. Properties ITEM 2. PROPERTIES Flight Equipment Our operating aircraft fleet, purchase commitments and options at December 31, 2024 are summarized in the following table. Mainline aircraft information by fleet type Current Fleet (1) Commitments Fleet Type Owned Finance Lease Operating Lease Total Average Age (Years) Purchase Options A220-100 45 - - 45 5.0 - - A220-300 28 - - 28 2.2 72 - A319-100 57 - - 57 22.8 - - A320-200 55 - - 55 28.9 - - A321-200 70 15 42 127 6.0 - - A321-200neo 69 - - 69 1.4 86 70 A330-200 11 - - 11 19.8 - - A330-300 28 - 3 31 15.9 - - A330-900neo 25 2 5 32 2.6 7 10 A350-900 24 - 11 35 4.9 9 10 A350-1000 - - - - - 20 - B-717-200 48 32 - 80 23.3 - - B-737-800 73 4 - 77 23.3 - - B-737-900ER 114 - 49 163 9.0 - - B-737-10 - - - - - 100 30 B-757-200 88 - - 88 26.9 - - B-757-300 16 - - 16 21.9 - - B-767-300ER 40 - - 40 28.4 - - B-767-400ER 21 - - 21 24.0 - - Total 812 53 110 975 14.9 294 120 (1) Excludes certain aircraft we own or lease that are operated by regional carriers on our behalf shown in the table below. The following table summarizes the aircraft operated by regional carriers on our behalf at December 31, 2024. Regional aircraft information by fleet type and carrier Fleet Type (1)(2) Carrier CRJ-700 CRJ-900 Embraer 170 Embraer 175 Total Endeavor Air, Inc. (3) 9 122 - - 131 SkyWest Airlines, Inc. 7 36 - 86 129 Republic Airways, Inc. - - 11 46 57 Total 16 158 11 132 317 (1) We own 195 and have operating leases for two of these regional aircraft. The remainder are owned or leased by SkyWest Airlines, Inc. or Republic Airways, Inc. (2) Excluded from the total operating count above are nine CRJ-700 and one CRJ-900 which are owned and temporarily parked as of December 31, 2024. (3) Endeavor Air, Inc. is a wholly owned subsidiary of Delta. Delta Air Lines, Inc. | 2024 Form 10-K 29
Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer at least twice per year with additional updates as requested by the Chair of the Audit Committee. In 2024, the Audit Committee received updates on information security matters at two of its regular meetings. In addition, our Chief Information Officer, our Chief Information Security Officer, other members of our information technology leadership team provided a general overview of information technology matters, including cybersecurity, in a special session with all members of our Board of Directors. In addition to information provided in these meetings, members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer , who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Risk Council and Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2024 Form 10-K 28 Item 2. Properties ITEM 2. PROPERTIES Flight Equipment Our operating aircraft fleet, purchase commitments and options at December 31, 2024 are summarized in the following table. Mainline aircraft information by fleet type Current Fleet (1) Commitments Fleet Type Owned Finance Lease Operating Lease Total Average Age (Years) Purchase Options A220-100 45 - - 45 5.0 - - A220-300 28 - - 28 2.2 72 - A319-100 57 - - 57 22.8 - - A320-200 55 - - 55 28.9 - - A321-200 70 15 42 127 6.0 - - A321-200neo 69 - - 69 1.4 86 70 A330-200 11 - - 11 19.8 - - A330-300 28 - 3 31 15.9 - - A330-900neo 25 2 5 32 2.6 7 10 A350-900 24 - 11 35 4.9 9 10 A350-1000 - - - - - 20 - B-717-200 48 32 - 80 23.3 - - B-737-800 73 4 - 77 23.3 - - B-737-900ER 114 - 49 163 9.0 - - B-737-10 - - - - - 100 30 B-757-200 88 - - 88 26.9 - - B-757-300 16 - - 16 21.9 - - B-767-300ER 40 - - 40 28.4 - - B-767-400ER 21 - - 21 24.0 - - Total 812 53 110 975 14.9 294 120 (1) Excludes certain aircraft we own or lease that are operated by regional carriers on our behalf shown in the table below. The following table summarizes the aircraft operated by regional carriers on our behalf at December 31, 2024. Regional aircraft information by fleet type and carrier Fleet Type (1)(2) Carrier CRJ-700 CRJ-900 Embraer 170 Embraer 175 Total Endeavor Air, Inc. (3) 9 122 - - 131 SkyWest Airlines, Inc. 7 36 - 86 129 Republic Airways, Inc. - - 11 46 57 Total 16 158 11 132 317 (1) We own 195 and have operating leases for two of these regional aircraft. The remainder are owned or leased by SkyWest Airlines, Inc. or Republic Airways, Inc. (2) Excluded from the total operating count above are nine CRJ-700 and one CRJ-900 which are owned and temporarily parked as of December 31, 2024. (3) Endeavor Air, Inc. is a wholly owned subsidiary of Delta. Delta Air Lines, Inc. | 2024 Form 10-K 29
Company Information
| Name | DELTA AIR LINES, INC. |
| CIK | 0000027904 |
| SIC Description | Air Transportation, Scheduled |
| Ticker | DAL - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |