Frontier Group Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

Frontier Group Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 08:00:42 EST.

Filings

10-K filed on 2025-02-18

Frontier Group Holdings, Inc. filed a 10-K at 2025-02-18 08:00:42 EST
Accession Number: 0001670076-25-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy In order to respond to the threat of security breaches and cyberattacks, we have developed and maintain a cybersecurity risk management program that is designed to protect and preserve the confidentiality, integrity and continued availability of our systems and information. Our cybersecurity risk management program also includes a cybersecurity incident response plan that provides controls and procedures for timely and accurate reporting of any material cybersecurity incidents. The maturity of our cybersecurity program is assessed annually. We have developed an internal cybersecurity risk management framework which utilizes industry frameworks and standards, such as the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). This does not imply that we meet any particular technical standards, specifications or requirements, only that we use the NIST CSF and other security standards, guidelines and best practices within our own framework to help us identify, assess and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program shares common methodologies, reporting channels and governance processes that apply across our overall enterprise risk assessment to other legal, compliance, strategic, operational and financial risk areas. Our cybersecurity risk management program includes: - risk assessments and rating platforms that are leveraged to help identify material cybersecurity risks to our critical systems, information, services and our broader enterprise information technology environment; - a cybersecurity team principally responsible for managing our cybersecurity risk assessment processes and our response to cybersecurity incidents through monitoring and identification activities; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; 55 - annual cybersecurity awareness training for employees and web and mobile developers, including responsible information security, data security and cybersecurity practices; - a computer incident response team (“CIRT”) that leverage our cybersecurity incident response plan which includes procedures for responding to cybersecurity incidents, escalating notifications and reporting requirements to regulatory bodies; and - a third-party risk management process for service providers, suppliers and vendors . We did not identify a material security breach during the year ended December 31, 2024, nor have we identified risks from any known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. Cybersecurity Governance Our board of directors is responsible for risk oversight, including cybersecurity risks, which occurs at the board of directors level and through the Audit Committee’s oversight of cybersecurity and other information technology risks. Additionally, we have a Cybersecurity Disclosure Committee (“CDC”), which includes representation from our Information Technology, Legal, Internal Audit and Accounting and Reporting teams. The CDC is responsible for assessing the materiality of cybersecurity incidents based on quantitative and qualitative materiality factors, and for providing recommendations on public disclosures of cybersecurity incidents to the Audit Committee if an incident is identified to be possibly material. The CDC also provides input and consideration into internal controls surrounding cybersecurity along with reviewing cybersecurity risks, mitigation strategies, and ensuring the cybersecurity strategy is in alignment with business objectives. The Audit Committee receives reports as necessary, and no less than quarterly, from our cybersecurity management team on our cybersecurity risks and related information, including, but not limited to, analysis of events that have impacted our peers, updates on program maturity, regulatory compliance status and cybersecurity program status and updates. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Audit Committee regularly briefs our board of directors on the matters communicated to the Audit Committee by our cybersecurity management team and the CDC, and our board of directors also receives periodic briefings from our cybersecurity management team on our cybersecurity risk management program and on cybersecurity threats in order to enhance our directors’ literacy on cybersecurity issues. Management’s Role Our cybersecurity management team is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for implementing our overall cybersecurity risk management program, including ongoing monitoring, and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants and professional services providers. Prior to the resignation of our Chief Information Officer (“CIO”) in November 2024, the cybersecurity management team was co-led by our CIO and Director of Cybersecurity. Our Director of Cybersecurity currently leads the team and, once we hire a new CIO, we expect that individual will serve as a co-leader. Our Director of Cybersecurity heads the division and is responsible for aspects of cybersecurity across our infrastructure, which includes cybersecurity architecture and engineering, cybersecurity operations, identity governance and IT governance, risk and compliance. Our Director of Cybersecurity has served in various cybersecurity roles for over 20 years at numerous organizations and consulting firms. Our Director of Cybersecurity earned a Bachelor of Business Administration in Management Information Systems (MIS) from Florida International University and a Master of Business Administration (MBA) in Management from Nova Southeastern University and also holds active cybersecurity certifications including the GIAC Certified Incident Handler (GCIH), Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP). 56

Company Information