Spire Global, Inc. - (SPIR)
10-K Filing Date: March 06, 2024
Cybersecurity Risk Management and Strategy
We recognize the need to continually monitor and assess material risks associated with cybersecurity threats as such term is defined in Item 106(a) of Regulation S-K. Additionally, we maintain a comprehensive risk management framework designed to respond quickly to perceived threats and mitigate the impact of a cybersecurity incident. Some of the cybersecurity risks we face include - but are not limited to - unauthorized access of sensitive information, breach of critical systems resulting in loss of constellation control, and denial of service of critical systems.
Cybersecurity risk management forms part of our overall risk management framework, which is regularly reviewed by our Chief Technology Officer (“CTO”), our senior management team and our Board of Directors. We retain an ISO 27001:2013 certification related to our information security management system (“ISMS”) that supports the assets, technologies, personnel, and processes used by our corporate IT environment, as well as the satellite command and control, data uplink and downlink pipelines, and ground stations utilized by our radio frequency collection and data products. Cybersecurity incident response procedures are enumerated in internal policies and procedures with remediation plans reflective of the scope and severity of the incident. This remediation typically involves incident analysis, incident isolation and eradication, and post-incident response. In the event a cybersecurity incident is detected, the IT Security Team reports the event to our legal and compliance teams. These Legal and Compliance professionals then advise on any additional notification or reporting requirements.
We regularly assess risks related to regulatory compliance, technical operations, business operations, and product and contract deliverables. Risks are managed, documented, and tracked as part of operating the ISMS and other processes. Risks are internally assessed and categorized based on perceived likelihood and impact to system confidentiality, integrity, and availability as described by the ISO 27005 Information Security Risk Management international standard. We also engage third party penetration testers, assessors, vendors, and auditors to assist with external network vulnerability scanning, penetration testing, internal audits, external audits, threat intelligence, and employee training activities. Additionally, we utilize a variety of self-hosted and SaaS tools to assist with vulnerability identification, mitigation, and remediation.
Identified risks and vulnerabilities are ranked and prioritized for mitigation based upon the aforementioned factors. Some risk mitigation and minimization activities include: regular software patches and updates; permitting only required connections to sensitive and critical systems; reactive response to newly identified and discovered exploitable vulnerabilities; implementation of additional auditing and monitoring controls; and cadence-driven system security assessments for critical systems.
We assess the cybersecurity posture of third-party service providers, vendors and suppliers at least annually and whenever the vendor implements significant product or operational changes. We maintain consistent communications via email, chat services, ticketing systems, and regular meetings with these partners to promptly address and remediate any perceived vulnerabilities.
45
Additionally, we also provide mandatory training to our employees to help identify, avoid and mitigate cybersecurity threats. These trainings cover a wide range of cybersecurity topics such as insider threats, phishing, spoofing, and the like.
As of the date of this Annual Report on Form 10-K, we have not experienced a cybersecurity threat or incident that materially affected or is reasonably like to materially affect our business or operations, but there can be no guarantee that we will not experience such an incident in the future. We aim to incorporate industry best practices throughout our cybersecurity program and continue to invest in additional controls designed to ensure the resiliency of our networks and prevention of cybersecurity incidents. We describe how cybersecurity threats are likely to materially affect us, including our business strategy, results of operations, and financial condition, in the section titled “Risk Factors” in this Annual Report on Form 10-K.
Cybersecurity Governance
Our cybersecurity program is overseen by the Company’s CTO in close collaboration with the CEO/Chairman of the Board of Directors and our legal and compliance teams. Both our CEO and our CTO have technical backgrounds and are well informed about cybersecurity risk management best practices, as well as our Company’s risk management framework. Our legal and compliance teams supporting the Company’s cybersecurity efforts bring a wealth of experience from prior positions, as well as participation in ongoing training sessions and industry events.
Our CTO regularly briefs the full Board of Directors on our cybersecurity and information security posture and the Board of Directors is apprised of all material cybersecurity incidents and the results of any third-party assessments. Additionally, our Board has designated a single Board member, who has experience in assessing and managing cybersecurity risk, to lead the Board-level oversight of cybersecurity risk matters, including staying abreast of cybersecurity best practices and briefing the full Board when significant industry developments occur.
Daily risk management and oversight of the Company’s cybersecurity posture is the responsibility of the Director of IT and Security, who directly reports to the CTO, and the cybersecurity professionals on his team. All of these team members have extensive experience in networking, cloud and on-premise infrastructure, software development, corporate IT, intelligence, Linux system administration, and data center operations. These individuals are responsible for approving and implementing security operations, security program development, and governance, risk and compliance related to cyber matters.