Spirit AeroSystems Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Spirit AeroSystems Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:36:04 EST.

Filings

10-K filed on 2025-02-28

Spirit AeroSystems Holdings, Inc. filed a 10-K at 2025-02-28 16:36:04 EST
Accession Number: 0001628280-25-009088

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Program Our cybersecurity program is designed to detect known and anticipated threats, and contemplate various types of unexpected but possible threats. We have developed processes designed to identify, assess, mitigate, analyze and respond to threats, and continue to mature our cyber resiliency solutions. We continuously monitor the cybersecurity landscape and identify active and potential threats through a combination of tools and processes. Our Global Information Security (“GIS”) team has day-to-day responsibility for Spirit’s cybersecurity program. This group is led by our Chief Information Security Officer (“CISO”), who has more than twenty years of relevant audit and cybersecurity experience. The CISO collaborates across the business, participates in internal audits, and is active in several leading industry groups to help benchmark our efforts with third parties. GIS receives and analyzes information from various resources to inform our cybersecurity program needs. An Executive Security Council comprised of senior leaders across the business meets regularly to discuss the company’s overall cybersecurity strategy, policies, and key cyber risks and mitigations. Significant risks are escalated to the Enterprise Risk Council which is chaired by our President and CEO, who was the Deputy Secretary of Defense during the development of the 2018 Department of Defense Cyber Strategy. We implement appropriate controls to help protect our information or information we have control of on our systems, and our operations. We evaluate our controls and systems against industry-recognized standards, and contractual requirements, as applicable. The CISO monitors and reviews our process of patching compliance, which is managed and executed via a combination of internal resources and third-party service providers. We also use third parties to supplement monitoring of cyber activity and for various special projects, which may include projects related to cybersecurity. As part of our cybersecurity risk management program, we have planned “tabletop” exercises designed to simulate various cybersecurity threats or intrusions and help identify gaps in our preparedness, and help provide clarity in how to respond to any potential incidents. These exercises are designed to test the working level and senior leadership level, including participation by Executive leaders. All employees are required to take mandatory cybersecurity training courses throughout the year. We execute simulated phishing exercises for all employees monthly and provide direct feedback to employees who fail such simulations to help them understand how to recognize phishing attempts. Our overall program is designed to help us prevent and effectively respond to cybersecurity incidents. GIS maintains an Incident Management and Response Policy that provides a classification framework for cybersecurity incidents and defines critical roles and responsibilities during a cybersecurity incident. The Incident Response Policy specifies ownership and timing of key actions and prescribes the engagement of functional leaders, senior Executives, and the Board of Directors, depending on the incident. We have developed playbooks to guide specific actions related to different incident types. Finally, we have a cyber insurance policy underwritten by a global leader in commercial insurance solutions. Part of our Enterprise Risk Management program involves understanding risks that third parties, including our supply chain partners, introduce to our organization. Our GIS organization has a formal risk assessment process that evaluates the cybersecurity risk of third party “as-a-service” providers, particularly in situations where we share confidential or sensitive information, or in situations where our compliance status or operations may be impacted through a cybersecurity incident. Cybersecurity Governance The Board of Directors’ Risk Committee has the responsibility for oversight of our cybersecurity program. This committee’s membership includes subject matter experts in both cybersecurity and national security. Spirit’s CISO reports to the Risk Committee quarterly or as needed on the state of our cybersecurity program. Cybersecurity Risks To date, we are not aware of risks from cybersecurity threats, including as a result of any previous known cybersecurity incidents, that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, we are subject to various cybersecurity risks, and we have experienced cyber-attacks, and routinely experience cybersecurity threats and attempts to gain access to sensitive information, as do our customers, suppliers, and other third parties with which we work. We cannot provide assurance that our processes and procedures will be sufficient to anticipate, detect, recognize or prevent cybersecurity threats. For more information about the cybersecurity risks we face, see Item 1A. “Risk Factors - Risks Related to Our Operations”

Company Information