BigBear.ai Holdings, Inc. - (BBAI)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity

We face a multitude of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly organized adversaries, including nation state actors, that target the defense industrial base and other critical infrastructure sectors. Our customers, suppliers, subcontractors and joint venture partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations.

Our Cybersecurity program, is built upon the National Institute of Standards and Technology Cybersecurity Framework (the “NIST Framework”), issued by the U.S. government as a guideline to manage cybersecurity-related risk. Additionally, we also employ industry best practices and other global and local standards and regulations as we continuously evaluate our risks. We utilize independent third-parties to assess our adherence to these frameworks.

Our Cybersecurity program is supervised by a dedicated Chief Information Security Officer (CISO), who has over 15 years experience in cybersecurity and operations and holds the following certifications: Certified Information Systems Security Professional (CISSP) and Certification in Risk and Information Systems Control (CRISC). The CISO’s team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. A strong partnership exists between our Information Technology, Cybersecurity, Internal Audit, and Legal functions so that identified issues are addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required. We have established a Governance, Risk, and Compliance (GRC) program to further strengthen our cybersecurity risk management activities across the Company, including the prevention, detection, mitigation and remediation of cybersecurity incidents. The CISO reports information about such risks to the Board of Directors.

Our cybersecurity strategy is built upon the principle that cybersecurity risk is business risk and must be addressed within the context of the overall enterprise risk. Our practices include development, implementation, and improvement of policies, standards, and guidelines, which serve as the foundation of our program. We continuously monitor cybersecurity vulnerabilities and potential attack vectors and evaluate the potential operational impacts of any threat and cybersecurity risk countermeasures made to defend against such threats. We leverage government partnerships, industry and government associations, third-party benchmarking, and threat intelligence to safeguard information and ensure availability of critical data and systems.

64


We have a robust Incident Response Plan that coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess, escalate, contain, investigate, and remediate the incident, as well as comply with potentially applicable legal obligations and mitigate brand and reputational damage.

Our Cybersecurity Awareness Program engages personnel through training on how to identify potential cybersecurity risks and protect BigBear.ai’s resources and information. This training is mandatory for all employees and is supplemented by enterprise testing initiatives, including periodic phishing tests. We provide specialized security training for certain employees, such as application developers.

We carry cyber liability insurance to provide a level of financial protection should a data breach occur.

To date, the Company has not experienced any material cybersecurity incidents and we are not aware of any cybersecurity risks that are reasonably likely to materially affect the Company.

The Board of Directors, as well as the Audit Committee and Nominating and Governance Committee have oversight of risks from cybersecurity threats. Each of these bodies is informed of these risks at quarterly meetings at a minimum, and on an ad hoc basis, as necessary.

Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured.