United Airlines Holdings, Inc. - (UAL)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY.
Board and Management Oversight of Cybersecurity Risks
The Company considers management of cybersecurity and digital risk as essential for enabling success. The Audit Committee (the "Audit Committee") of the Board provides oversight of the Company's risk assessment and risk management policies and strategies with respect to significant business risks, including cybersecurity and digital risk. On a regular basis, the Audit Committee receives reports from the Company's Chief Information Security Officer ("CISO") or her representative(s) regarding the identification and management of cybersecurity risks, including when applicable, notable cybersecurity threats or incidents impacting the aviation sector or the Company, results of independent third-party assessments of the Company's cybersecurity program, key metrics, capabilities, resourcing and strategy regarding the Company's cybersecurity program and updates related to cybersecurity regulatory developments.
The Company's CISO leads the Cybersecurity and Digital Risk ("CDR") organization, which oversees the approach to identifying and managing cybersecurity and digital risk. The Company's current CISO has extensive technology and risk management experience in critical infrastructure sectors and is qualified as a boardroom certified technology expert by the Digital Directors Network. She serves on the U.S. President's National Infrastructure Advisory Council, examining and providing recommendations related to cross-sector critical infrastructure security and resilience. She serves on the board of directors of the Internet Security Alliance, has served, and continues to serve, as Chair of the Cybersecurity Council at Airlines for America, and has served as Chair and is currently a member of the board of directors of the Aviation Information Sharing
33
and Analysis Center (A-ISAC). The CDR organization includes teams focusing on Cyber Defense, Identity & Digital Trust, and Secure Product Solutions & Aircraft Cybersecurity Operations. The teams include individuals with a broad array of cybersecurity expertise, including experience in offensive cybersecurity; application cybersecurity; product cybersecurity; cloud cybersecurity; infrastructure cybersecurity; cybersecurity systems; engineering and architecture; information technology cybersecurity; operational technology cybersecurity; identity and access management; vulnerability and asset management; cybersecurity threat intelligence; cybersecurity regulatory compliance; digital fraud; digital trust; incident response; insider threat assessment; and aircraft cybersecurity.
The Company's senior leadership, including the Safety, Legal, Government Affairs, Operations, Aviation Security, Finance, Communications and Digital Technology functions, as well as others as needed, support the CDR and contribute to the management of cybersecurity and digital risk by attending regular cybersecurity risk reviews and participating in cybersecurity drills.
Cybersecurity Risk Management and Strategy
The Company established a risk-based strategy informed by guiding principles from industry standard cybersecurity and risk management frameworks, such as those published by the National Institute of Standards and Technology (NIST). The Company's cybersecurity risk management framework is integrated with the Company's Enterprise Risk Management ("ERM") process that is subject to oversight by the Board. Cybersecurity risks are one of the key risks regularly evaluated, assessed and monitored as part of the Company's overall ERM process.
As part of its risk-based strategy, the Company maintains appropriate technical and organizational measures and regularly reviews the appropriateness of those controls considering changes to the technical or regulatory environment. The Company also regularly incorporates cybersecurity awareness training into employee communications, engagement and training activities. The Company participates in various information sharing organizations to timely share and receive threat information, thereby improving the collective defense of the aviation and other critical infrastructure sectors. The Company regularly seeks opportunities to improve its capabilities, including through cybersecurity trainings and skill development programs for its CDR members.
The Company utilizes a variety of third parties in connection with its cybersecurity risk management. For example, the Company uses the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency's Known Exploitable Vulnerabilities Catalog, the MITRE Corporation's Common Vulnerabilities and Exposures database and other threat intelligence portals and feeds to identify vulnerabilities. The Company also employs third-party cybersecurity companies to add capacity or expertise when necessary. Additionally, regular assessments of the Company's cybersecurity program are conducted by independent third-party assessors.
The Company is subject to cybersecurity risks related to its business partners and third-party service providers, as further detailed under the heading "Increasing privacy, data security and cybersecurity obligations or a significant data breach may adversely affect the Company's business" included as part of our risk factor disclosures in Part I, Item 1A. of this report. To manage these risks, the Company has integrated third-party incidents into its cybersecurity incident response processes. The Company also conducts evaluations and assessments of key suppliers based on risk and seeks to incorporate appropriate measures to manage the risk. The Company also regularly monitors the external cybersecurity posture of thousands of third parties through various service providers.
Crucially, the Company, or its third-party service providers it may rely on, may not be able to design or implement technical or organizational controls comprehensively, consistently or effectively as intended to protect the confidentiality, integrity or availability of systems and data. Because the Company utilizes a risk-based strategy, based on professional judgment and analysis of the risks, it is possible that the Company may underappreciate or not recognize a specific risk. Moreover, even the best designed and implemented security controls may not eliminate cybersecurity incidents.
Cybersecurity Incident Management
The CDR organization uses a variety of prevention and detection tools and other resources to identify potential cybersecurity incidents. When a cybersecurity incident is identified, CDR's incident response team engages with the appropriate subject matter experts, the relevant management of impacted organization(s) and others to analyze, contain, eradicate, mitigate, and recover from the incident as applicable. Throughout the incident response process, CDR leadership, the CISO and the Company's Chief Legal Officer are informed and consulted. As appropriate, incidents are escalated for review by the Senior Leader Crisis Team (the "SLCT"), which consists of cross-functional leaders of the Company. A subgroup of the Company's Disclosure Council assesses the information reviewed by the SLCT and makes a recommendation regarding the cybersecurity incident's materiality to the full Disclosure Council and subsequently to the Audit Committee. Additionally, the CDR organization has frequent operating rhythms to, among other things, review cybersecurity incidents and track the progress of
34
cybersecurity initiatives. The SLCT also meets according to regular operating rhythms to review cybersecurity incidents and stay informed of evolving cybersecurity risks.
The Company faces risks from cybersecurity threats, including as a result of any cybersecurity incidents, that could have materially affected or are reasonably likely to materially affect its business strategy, results of operations, and financial condition, cash flows or reputation. Although to our knowledge such risks have not materially affected us in the last three fiscal years, from time to time the Company has experienced and will continue to experience cybersecurity incidents, whether directly or through our supply chain or other channels, in the normal course of its business. For more information about the cybersecurity-related risks that the Company faces, see the risks detailed under the headings "The Company relies heavily on technology and automated systems to operate its business and any significant failure or disruption of, or failure to effectively integrate and implement, these technologies or systems could materially harm its business" and "Increasing privacy and data security obligations or a significant data breach may adversely affect the Company's business" included as part of our risk factor disclosures in Part I, Item 1A. of this Form 10-K.