BlackSky Technology Inc. - (BKSY)
10-K Filing Date: March 20, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes as described below.
We conduct at least quarterly assessments of risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
In addition to these quarterly risk assessments, we conduct assessments when there is a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we evaluate whether and how to re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and evaluate the effectiveness of our safeguards at least semi-annually. We devote significant resources and designate high-level personnel, including our Chief Information Officer who reports to our Chief Executive Officer, to manage the risk assessment and mitigation process.
As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with the people operations, IT, compliance, and legal departments, and management. Personnel at all levels and departments are made aware of our cybersecurity policies through trainings at least annually.
We engage assessors, consultants, or other third parties for supplemental cyber monitoring and assessment of cybersecurity policies and controls in support of the risk assessment. We contractually require key and/or relevant third-party service providers to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company. Depending on the severity of the suspected breach these reports may be among the information supplied to our Chief Information Officer.
We, like any technology company operating in the current environment, have previously experienced cybersecurity incidents. However, as of the date of this Annual Report on Form 10-K, we do not believe that any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, are reasonably likely to have a material effect on us, our business strategy, results of operations, or financial condition. For additional information regarding risks related to cybersecurity threats, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K, including the risk factor entitled "Any significant disruption in or unauthorized access to our computer systems or those of third parties
53
that we utilize in our operations, including those relating to cybersecurity or arising from cyber-attacks, could result in a loss or degradation of service, unauthorized disclosure of data, or theft or tampering of intellectual property, and give rise to potential harm to customers, remediation and other expenses under a variety of domestic and international laws or other laws or common law theories, subject us to litigation and federal and state governmental inquiries, damage our reputation, and otherwise be disruptive to our business and operations."
Governance
One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through its strategy committee.
Our Chief Information Officer is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our Chief Information Officer has nearly four decades of overall information technology experience in secure environments, including eight years of infrastructure and cybersecurity leadership at our Company. Furthermore, our Strategy Committee Chair brings nearly four decades of technical and organizational leadership experience, having previously held senior US government positions as the Principal Deputy Director of National Intelligence and the Senior Advisor to the Director for Cyber and Director of Information Operations for the CIA, where she was responsible for cyber operations, foreign cyber threat assessment, and cybersecurity. She sits on the boards of several public and private technology companies, filling the role of their cybersecurity expert.
Our Chief Information Officer oversees our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The process by which our Chief Information Officer is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents includes the review of weekly reports provided by our security team highlighting metrics that relate to potential threats and vulnerabilities as well as status updates on our security initiatives and mitigations. The updates also include a review of emerging cyber risks and other relevant issues identified in our cyber threat intelligence reporting.
Our Chief Information Officer presents quarterly briefings to the strategy committee and/or our board of directors regarding our cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, and activities of third parties. The strategy committee provides at least quarterly updates to the board of directors on such reports. In the event of a material cybersecurity incident or series of incidents, our Chief Information Officer will notify the strategy committee and the audit committee of the Company's board of directors and work with legal counsel to ensure appropriate disclosures are made to regulatory agencies.