Rocket Lab USA, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Rocket Lab USA, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:44:00 EST.

Filings

10-K filed on 2025-02-27

Rocket Lab USA, Inc. filed a 10-K at 2025-02-27 16:44:00 EST
Accession Number: 0001628280-25-008724

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our cybersecurity risk management strategy is a key component and has been integrated into our overall enterprise risk management program and has been designed based on established industry frameworks and standards, including those developed by the National Institute of Standards and Technology and the US Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program. Although this does not mean that we currently meet all of any particular technical standards, specifications, or requirements, we use these frameworks, complemented by insights from internal assessments, to guide the development of policies governing the use of our information assets, access to intellectual property, and the safeguarding of personal information. To fortify our information assets, we employ industry-standard measures such as multifactor authentication and endpoint protection defenses. Moreover, we collaborate with internal stakeholders across the organization to embed fundamental cybersecurity principles into our operations. This entails implementing multiple layers of cybersecurity defenses, restricting access based on business necessity, and ensuring the integrity of our business information. Throughout the year, our employees undergo regular cybersecurity awareness training, receive guidance on protecting confidential information, and participate in simulated phishing exercises. We maintain a cybersecurity incident response plan that includes a cross-functional response team and procedures for responding to cybersecurity incidents. We engage third-party assessors to conduct penetration testing and evaluate our adherence to industry-standard frameworks. Additionally, we maintain ongoing relationships with incident response experts and other external professionals. We also seek to collaborate with industry peers and cybersecurity practitioners in order to facilitate the exchange of insights and knowledge regarding potential threats, best practices, and emerging trends. We have developed processes to identify and oversee risks from cybersecurity threats associated with our third-party service providers, which includes the information security team assisting with and assessing cybersecurity robustness during onboarding as well as risk-based monitoring on an ongoing basis. Our global information technology security team collaborates periodically with a cross-functional group of subject matter experts and leaders to assess and refine our cybersecurity posture and preparedness. This collaborative effort extends to partnerships with the National Defense Cyber Alliance, National Security Agency, and the FBI to monitor and comprehend active risks within the Aerospace industry, Defense Industrial Base, and Critical Infrastructure. As of December 31, 2024, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected or are reasonably likely to materially affect the Company’s business strategy, financial condition or results of operations. For further details on cybersecurity risks, please refer to the Risk Factors discussion in Item 1A of this Report, including the discussion under the heading " Any significant disruption in or unauthorized access to our computer systems or those of third parties that we utilize in our operations, including those relating to cybersecurity or arising from cyber-attacks, could result in a loss or degradation of service, unauthorized disclosure of data, or theft or tampering of intellectual property, any of which could materially adversely impact our business. " Governance of Cybersecurity Risk Management Our Board of Directors (the “Board”) holds collective oversight responsibility for our strategic and operational risks. Assisting the Board in this capacity, our Audit Committee thoroughly reviews and deliberates on our risk assessment and risk management practices, including cybersecurity risks, in collaboration with management. The Audit Committee provides periodic reports on these reviews to the full Board of Directors. Management bears the responsibility for the day-to-day assessment and management of cybersecurity risks. Our Chief Information Officer (CIO) assumes primary oversight of material risks stemming from cybersecurity threats. With over 20 years of experience across various information technology roles, our CIO also serves as the Vice President accountable for the Information Technology organization and information protection. Reporting directly to our CIO, our Cybersecurity Manager brings over 15 years of experience in aerospace IT organizations, coupled with more than 10 years of expertise in cybersecurity. Our CIO and Cybersecurity Manager evaluate our cybersecurity readiness through a combination of internal assessment tools and third-party control tests, vulnerability assessments, audits, and alignment with industry standards. We maintain governance and compliance structures tailored to promptly escalate cybersecurity-related matters to our cybersecurity team, addressing potential threats or vulnerabilities. Incidents undergo evaluation based on their impact and potential materiality, followed by reporting to designated internal and external personnel in accordance with defined procedures. Moreover, we implement diverse defensive measures and continuous monitoring techniques, leveraging established industry frameworks and cybersecurity standards, including collaboration with third-party security operations centers. Our CIO conducts periodic meetings with the Audit Committee to review our information technology systems and address significant cybersecurity risks.

Company Information