Science Applications International Corp - (SAIC)
10-K Filing Date: March 20, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company is subject to various cybersecurity risks and continuously monitors and assesses its cybersecurity measures to protect against potential threats. These risks include operational disruption, reputational harm, theft of intellectual property, fraud, extortion, harm to customers or employees, and violation of data privacy or security laws.
The Company has a comprehensive cybersecurity management and oversight program designed to identify, manage, and mitigate potential risks. This program is integrated into our overall risk management systems and processes and includes continuous monitoring of cybersecurity threats, regular assessments of information systems, vulnerability management, penetration testing, employee training on cybersecurity best practices, and ongoing assessments of risk.
In the event of a cybersecurity incident, the Company has established an incident response plan to promptly and effectively address the situation. Cybersecurity events and data incidents are evaluated, ranked by severity and prioritized for escalation to senior management and the Risk Oversight Committee ("ROC") of our Board of Directors, response and remediation. The plan includes procedures for investigating and containing incidents, notifying affected parties, and implementing corrective actions to prevent future occurrences.
The Company relies on various third party providers, such as vendors, suppliers and other business partners for certain aspects of its operations. These third parties may also be susceptible to cybersecurity risks. The Company conducts due diligence on the cybersecurity practices and controls on these providers, as well as inclusion of contractual provisions requiring the providers to maintain appropriate cybersecurity measures. In addition, in the case of a third-party cybersecurity incident, the Company identifies and mitigates risks to minimize impacts to us from third party incidents.
Governance
Management's Responsibilities
The Company’s information security program is led by our corporate Chief Information Security Officer ("CISO"), who works closely in a cross-functional capacity with key corporate and operational business stakeholders. The individuals supporting the Company's information security program demonstrate their cybersecurity expertise through qualifications such as prior work experience, possession of a cybersecurity certification, degree, or other cybersecurity experience. The CISO collaborates with these functions for the purpose of establishing processes and procedures to monitor potential cybersecurity risks, identifying cybersecurity incidents, implementing appropriate mitigation measures, reporting cybersecurity breaches, assessing materiality, and other information security incidents, and maintaining our cybersecurity program. The CISO provides regular updates on the Company's cybersecurity posture and preparedness to senior management.
Board of Directors' Roles and Responsibilities
Our cybersecurity risks and associated mitigations, as part of our enterprise risk management, are evaluated by senior leadership. These risks and mitigations are also subject to oversight by the Audit Committee and the ROC of our Board of Directors The ROC is the primary committee that oversees enterprise cybersecurity risks and reviews cybersecurity matters. The ROC oversees our policies and procedures for protecting our cybersecurity infrastructure
21
SCIENCE APPLICATIONS INTERNATIONAL CORPORATION |
and for compliance with data protection and security regulations, and related risks. The ROC receives information regarding such risks from management, including our CISO, and reports to the Board on a quarterly basis. The ROC also oversees the Board’s response to any significant cybersecurity incidents.
Cybersecurity Threats
To date, we have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business operations or financial condition. While the Company has taken significant steps to manage cybersecurity risks, there can be no assurance that these measures will prevent all potential incidents. A material cybersecurity incident could have material adverse effect on the Company’s financial condition, results of operations, or cash flows. The Company is committed to addressing cybersecurity risks in an ever-evolving technological landscape. Management will continue to evaluate and enhance its cybersecurity measures to adapt to emerging threats and comply with evolving regulatory requirements.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our organizational strategy, results of operations, or financial condition as part of our risk factor disclosures in Part I, Item 1A of this report.