Allegiant Travel CO - (ALGT)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
As a critical infrastructure company, we regularly face cybersecurity threats from malicious third parties that could obtain unauthorized access to our internal systems, networks and data. It is virtually impossible for us to entirely mitigate the risk of these and other security threats we face. The security, performance, and reliability of our network may in the future be disrupted by third parties, including nation-states, competitors, hackers, disgruntled employees, former employees, or contractors. While we have implemented security measures internally and have integrated security measures into our systems, network, and products, these measures have not always functioned as expected and have not always detected or prevented all unauthorized activity, prevented all security breaches or incidents, mitigated all security breaches or incidents, or protected against all attacks or incidents.
We have implemented processes and procedures for the assessment, identification, and management of material risks from cybersecurity threats. These processes implement both qualitative and quantitative measurements that have been agreed upon with our third-party consultants, our auditors, and integrated into our overall risk management process.
Our process includes assessing, mitigating, and managing risk in three categories: cybersecurity or technical risk, vendor risk, and compliance and regulatory risk. To support those risk management categories, we partner with third parties in the implementation of tooling to help us decrease cyber risks and ensure compliance within Allegiant and with third parties. We verify third-party compliance, such as suppliers and business partners, by aligning with several standards. For example, we subject our IT suppliers to the Sarbanes-Oxley (SOX) and payment card industry (PCI) compliance standards where applicable.
To certify our policies and processes to International Standards Organization (ISO)/ International Electrotechnical Commission (IEC) 27001, we are engaging a third-party consulting firm to conduct a gap analysis on our cybersecurity compliance. After achieving compliance, we expect to engage a third-party auditor to ensure we are compliant on an annual basis. Achieving compliance with any cybersecurity standard does not guarantee that controls cannot be broken, bypassed, or circumvented by zero-day vulnerabilities, or malicious threat actors.
Our overall approach to cybersecurity risk management includes the following key elements:
•Multi-layered defenses, coupled with in-depth and continuous monitoring – We utilize data analytics to detect anomalies and search for cybersecurity threats. From time to time, we engage third party consultants or other advisors to assist in assessing, identifying and managing cybersecurity threats. We also periodically use our internal audit function to conduct additional assessments and reviews.
•Insider Threats – We maintain an insider threat program, designed to identify, assess, and address potential risks from within Allegiant. Our program evaluates potential risks consistent with industry best practices, customer requirements and applicable law, including privacy and other considerations.
•Information Sharing and Collaboration – We work with government, customer, industry and supplier partners including government-industry partnerships and critical infrastructure threat intelligence sharing platforms. These relationships enable the rapid sharing of threat intelligence and vulnerability mitigation across the industry and the defense industrial base and supply chain.
•Third Party Risk Assessments – We conduct information security assessments before sharing or allowing the hosting of sensitive information in our computing environments, and those managed by third parties. Our standard terms and conditions with third parties include contractual provisions requiring certain security protections.
•Training and Awareness – We seek to create a culture of security. We provide training to our employees to help identify, avoid, and mitigate cybersecurity threats. Our employees are required to participate in cybersecurity training at least annually and our training includes spear phishing and other awareness training. We regularly remind our employees and partners of the importance of handling and protecting customer and employee data, including through annual privacy and security training. We also host periodic tabletop exercises and drills with management and other employees to practice rapid response to cyber incidents.
•Supplier Engagement – We require our suppliers to comply with our standard information security terms and conditions and require them to complete information security questionnaires to enable us to review and assess any potential cyber-related risks depending on the nature of the services provided.
•Scalability – We continue to invest directly in our cybersecurity program, as well as augmentation of those cybersecurity services through managed services and third parties, depending on the maturity and risk of the operating model of the business unit.
Disclosure of Identified Risks:
As of the date of this report, we have not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the organization. Although we have not experienced cybersecurity incidents that are individually, or in the aggregate, material, we have experienced cyberattacks in the past, which we believe have thus far been largely mitigated by preventative, detective and responsive measures implemented by us. For a detailed discussion of our cybersecurity related risks, see Item 1A Risk Factors – “A breach in the security of personal information, breach in credit card data or system disruptions caused by security breaches or cyberattacks – including attacks on those parties we do business with
29
– could harm our ability to conduct our operations and could have a material adverse effect on our financial position or results of operations.”
Board Oversight of Cybersecurity Risks:
Our board is responsible for overseeing our enterprise risk management activities in general, the appropriate committees assist the board in the role of risk oversight. Our chief information security officer (CISO) presents a quarterly update to the full board, including an update on our risk management process and risk trends related to cybersecurity.
Management’s role in Managing Cybersecurity Risks:
We have a dedicated cybersecurity team, composed of individuals with a diverse set of information security, cybersecurity, and governance, risk and compliance backgrounds, collectively giving our cybersecurity program significant experience. Our CISO leads our day-to-day data security and customer privacy efforts — overseeing operations, cybersecurity, privacy risk and compliance. The CISO, who has more than 30 years of experience reports daily to our chief information officer (CIO), monthly to the risk and compliance committee (consisting of the president and executive leadership) and quarterly to our board.
30