Satellogic Inc. 10-K Cybersecurity GRC - 2025-03-26

Page last updated on March 26, 2025

Satellogic Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-26 16:03:01 EDT.

Filings

10-K filed on 2025-03-26

Satellogic Inc. filed a 10-K at 2025-03-26 16:03:01 EDT
Accession Number: 0001628280-25-014951

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The strategy followed by our Security Incident Response Team (“SIRT”) for managing material risks from cybersecurity threats is aligned to the National Institute of Standards and Technology’s (“NIST”) Cyber Security Framework 1.1 and its associated references in NIST SP 800-53r5.1.1 and NIST 800-61r2 Guides. The strategy was updated in the fourth quarter of 2023 to support our compliance with the SEC’s Rules on Cybersecurity Disclosure for Public Companies and then it was reviewed in the fourth quarter of 2024 as part of our yearly review cycle and is included in our overall enterprise risk management program. Our Incident Detection and Response (“IDR”) processes and practices include the evaluation of each identified cybersecurity threat event to determine its authenticity and potential impact or whether our systems blocked or mitigated it. Our Incident Response Standard, governed by our Incident Response Policy comprises two separate workflows, both tracked in a ticket system. The first workflow encompasses all events requiring investigation. If an event is confirmed as positive and has caused an impact, a second workflow may be triggered, engaging the Materiality Determination Committee until the incident is reported to the SEC or otherwise determined that there is no material impact. In furtherance of detecting, identifying, classifying and mitigating cybersecurity and other data security threats, we also: - Use MFA based authentication and other cryptographical processes to address identity-based cybersecurity risks. - Use context aware access control processes. - Adopted processes to ensure security in specific remote environments. - Have implemented anti-phishing technologies. - Deploy anti-malware solutions, and have them continuously updated. - Implemented a SIEM system, where we monitor (automatically and otherwise) our networks, systems and users. - Perform periodic network and vulnerability scans of our external and internal networks and systems. - Have an incident detection and response team, with its policies and procedures, to review all events that may be part of a security incident. - Use processes to assess and prioritize risks related to applications and how we use them. - Ensure the asset inventory for relevant system components is kept current and accurate; - Maintain updated network and systems architecture documentation - Periodically engage well known external consultants, where appropriate, to assess, test or otherwise assist with aspects of our security controls. - Provide mandatory training on security and compliance matters to all employees, and some more specific as roles and responsibilities require. - Have defined and periodically updated our information security policies regarding, among others, access and control, networked devices, credentials management, physical security, etc. - Implement a secure software development life cycle and a maturity model to assess it, and accompany engineering teams during all the phases of the cycle. - Evaluate the information security risk associated with suppliers, partners, applications and services used. We have established a committee specifically dedicated to determining the materiality of cybersecurity incidents (the “Materiality Determination Committee”), which includes key members of our organization: the CFO, Chief Information Security Officer (“CISO”) , and the Sr. VP of Operations, the latter having ultimate oversight responsibility for compliance matters. Once a threat event is determined to have any impact, the committee is assembled, informed and the threat event’s material impact is determined. If materiality is confirmed, then the reporting process starts in accordance with SEC rules (including reporting no later than four days after the materiality determination). External help may be engaged at any step in the process, before or after the materiality committee is invoked, depending on the complexity and reach of the incident. Though we do not have a retainer on any external third parties, we have identified a list of potential entities to engage when needed. We have not identified any cybersecurity incident that had or may have a material impact on our business whatsoever, in particular, no unauthorized access to our information technology systems that either occurred or is reasonably likely to have occurred, including of reports submitted to us by third parties (including regulatory agencies, law enforcement agencies and security consultants), to the extent that such unauthorized access to our information technology systems is reasonably likely to have a material effect on the (consolidated) financial statements, in each case or in the aggregate, and no ransomware attacks when we had been asked, paid or are contemplating paying a ransom, regardless of the amount. However, conducting our businesses involves the collection, storage, use, disclosure, processing, transfer, and other handling of a wide variety of information, including personally identifiable information, for various purposes in our businesses. Like other comparable-sized companies that process a wide variety of information, our information technology systems, networks and infrastructure and technology are assumed to be vulnerable to cybersecurity attacks and other data security threats. These types of attacks are constantly evolving, may be difficult to detect quickly, and often are not recognized until after they have been launched against a target. Our Board has ultimate oversight for risks relating to our cybersecurity strategy. In addition, the Board has delegated primary responsibility to the Audit Committee for assessing and managing data privacy and cybersecurity risks, reviewing steps management has taken to monitor and control such cybersecurity risks, and regularly inquiring with our management team and internal auditors in connection therewith. The Audit Committee performs quarterly reviews of any confirmed cybersecurity incident. Additionally, on a bi-annual basis, the Audit Committee receives a comprehensive update regarding any cybersecurity events occurring during the prior period, progress of cybersecurity programs, changes in cybersecurity policies, and ongoing assessments of risks and mitigation activities, and to discuss the evolution of our cybersecurity strategy. The information in these reports and the results of these discussions are used to drive alignment on, and prioritization of, initiatives to enhance our cybersecurity strategies, policies, and processes and make recommendations to improve processes. The process for materiality determination of a cybersecurity threat event considers the possibility of contacting the Audit Committee for assistance, if needed, or to inform of the evolution of an incident with possible material impact. Our Materiality Determination Committee is tasked with determining the materiality of cybersecurity incidents. Also, every week the CISO updates the Executive Leadership Team (CEO, President, CFO, Sr. VP of Operations, Chief Technology Officer (“CTO”), Chief Product Officer (“CPO”), and Sr VPs of Engineering) on cybersecurity matters including any confirmed incident or any possible threat with a material or otherwise meaningful impact and shares an updated dashboard with key performance indicators on on-going efforts and long-term metrics. The CISO is directly responsible for directing, “all cyber related activities (including monitoring, preventing, detecting, mitigating, and remediating” and informing the Audit Committee of any cybersecurity incident or threat with material impact, including such threats associated with our use of external suppliers and other third-party service providers. The CISO and VP of Information Security have more than 25- and 30-years’ experience, respectively, working directly in the cybersecurity industry, performing and coordinating red-teaming and blue-teaming exercises, conducting research and developing cybersecurity tools and products, as well as presenting at various international conferences. The Information Security Team is segmented into three distinct sections: IDR, Secure Development (“SDLC”), and Infrastructure and Access Control (“IAC”). Furthermore, it collaborates with our product groups to integrate security measures into our products and services, thereby enhancing the overall security posture for our customers.

Company Information