L3HARRIS TECHNOLOGIES, INC. /DE/ 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

L3HARRIS TECHNOLOGIES, INC. /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 16:25:17 EST.

Filings

10-K filed on 2025-02-14

L3HARRIS TECHNOLOGIES, INC. /DE/ filed a 10-K at 2025-02-14 16:25:17 EST
Accession Number: 0000202058-25-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy We assess and identify material risks from cybersecurity threats primarily through the work of our Information Security organization, which is fully integrated in our enterprise risk management (" ERM “) process in close partnership with other functions such as Engineering, Industrial Security, Internal Audit , and Legal. The ERM process, administered by management with input from each business segment and function, continuously monitors material risks facing L3Harris, including cybersecurity threats. Our Information Security organization, is led by our Chief Information Officer (” CIO “), who has extensive experience leading information technology for global _____________________________________________________________________ 16 organizations across aerospace, defense and industrials, and works directly with our Chief Executive Officer (” CEO “) and other members of senior management to assess cybersecurity threats as part of the ERM process. The CIO oversees the internal cybersecurity organization of more than 100 full-time employees headed by our Chief Information Security Officer (our " Cybersecurity Team “). Risks related to cybersecurity threats are reflected in an enterprise risk “heat map,” along with other material risks identified through the ERM process, and any mitigation plans developed to manage such risks are reported to our Board of Directors (” Board “). The “heat map” includes risks related to cybersecurity threats to L3Harris and our customers, suppliers, vendors, subcontractors or other third parties, and the possibility of a data breach of our confidential, personal and proprietary information through a cybersecurity incident impacting L3Harris or any third party. To actively manage cybersecurity risks identified as part of the ERM process or otherwise and to manage emerging cybersecurity threats in real time, management has implemented an ISO 27001 certified Information Security Management System. Our Cybersecurity Team operates a Security Operations Center that continuously monitors activity, frequently scans applications and systems for vulnerabilities to risk from cybersecurity threats and creates action plans to address and track identified cybersecurity threats until they have been remediated. Activities and cybersecurity incidents are reported to our CIO, who briefs senior management, including our CEO, as well as the Innovation and Cyber Committee and the Audit Committee of our Board (respectively, the “Innovation and Cyber Committee " and the " Audit Committee “), as appropriate. Our Cybersecurity Team also routinely engages with third parties, including government agencies focused on cyber resiliency, to manage risks from cybersecurity threats. For example, we are members of the DoD Defense Industrial Base Collaborative Information Sharing Environment, the National Defense Information Sharing and Analysis Center, and the National Security Agency Enduring Security Framework. These organizations share real-time cybersecurity threat information and best practices in protecting, detecting and recovering from cybersecurity threats. We are committed to safeguarding against both internal and external security threats through a robust counterintelligence and insider threat program that utilizes cutting-edge data analytics and machine learning. As a defense contractor, we are subject to the Department of Defense’s cybersecurity regulations, including the Defense Federal Acquisition Regulation Supplement, ensuring the protection of Controlled Unclassified Information and prompt reporting of cybersecurity incidents. Our practices have been rigorously assessed by the Defense Contract Management Agency to meet the Level 2 Cybersecurity Maturity Model Certification requirements, reflecting our dedication to maintaining stringent security controls. To mitigate cybersecurity risks introduced from our supply chain, we have a dedicated Cybersecurity - Supply Chain Risk Management team. This team assesses new suppliers against best cybersecurity practices, ensures cybersecurity regulations are contractually flowed down and coordinates mitigation actions across the company if a supplier is impacted by a cybersecurity incident. The Supply Chain Risk Management team utilizes industry monitoring services to identify potential supply chain incidents and works closely with our Cybersecurity Team to understand the latest threats affecting our industry. Additionally, as part of our processes to manage risks related to a breach in our information systems, management requires employees to take annual cybersecurity training and shares regular awareness updates regarding cybersecurity threats. Our Cybersecurity Team regularly tests employees throughout the year to assess the effectiveness of the cybersecurity training. We also periodically conduct penetration testing of our network, hold tabletop exercises of cyber incidents, and undertake cybersecurity assessments led by Internal Audit to improve our risk mitigation and assist in the determination of a potential material impact caused by a cybersecurity incident. While we have implemented robust practices to mitigate cybersecurity risks, and prior cybersecurity threats have not materially affected our business strategy, results of operations or financial condition, we could be negatively impacted by a cybersecurity breach, through cyber-attack, cyber intrusion, insider threats, supply chain incidents, or otherwise, or other significant disruption of our IT networks and related systems or of those we operate for certain of our customers. See “Item 1A. Risk Factors” in this Report for further discussion of specific risks related to cybersecurity threats. _____________________________________________________________________ 17 Governance The Audit Committee provides regular oversight and review of our ERM process and other guidelines and policies governing the processes by which our CEO and senior management assess our exposure to risk, including risk from cybersecurity threats. The Innovation and Cyber Committee receives regular briefings from our CIO , Chief Information Security Officer and other members of senior management on cybersecurity threats and related matters and assists the Audit Committee in its oversight and review of our ERM process. The Innovation and Cyber Committee reviews our cybersecurity risk across the enterprise at least annually, including IT, supply chain and products and our cybersecurity strategy framework and operational posture. The Innovation and Cyber Committee also reviews our IT, data security and other systems, processes, policies, procedures and controls at least annually to (a) identify, assess, monitor and mitigate cybersecurity risks; (b) identify measures to protect and safeguard against cybersecurity threats and breaches of confidential information and data and IT infrastructure and our other assets or assets of our customers or other third parties in our possession or custody; (c) support the response and management of cybersecurity threats and data breach incidents; and (d) aid in compliance with legal and regulatory requirements governing cybersecurity or data security reporting requirements. The Innovation and Cyber Committee reports its activities to the full Board on a regular basis and makes such recommendations to the Board and management with respect to risks from cybersecurity threats and other matters as it deems necessary or appropriate.

Company Information