Leonardo DRS, Inc. - (DRS)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
As a defense contractor developing advanced technologies, we face a multitude of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly capable adversaries, including nation state actors that target the defense industrial base and other critical infrastructure sectors. Our customers, suppliers, subcontractors and joint venture partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations.
We recognize that cybersecurity is critical to the success of our business. We regularly contract with the U.S. government on programs classified for national security purposes. To adequately safeguard classified and controlled unclassified information, our Cybersecurity Program operates across the enterprise, strongly supported and overseen by our management and the Board. Employees are regularly trained on potential cyber threats and are expected to maintain a high level of cybersecurity awareness.
Cybersecurity Risk Management and Strategy
Our Cybersecurity Program
Our Cybersecurity Program includes the following four core components: Cyber Operations; Cyber and Information Technology Governance and Compliance; Classified Information Systems; and Cyber/Supplier Risk Management.
•The Cyber Operations team is responsible for maintaining prevention, detection, and response capabilities in a defense-in-depth infrastructure. The prevention, detection, and response capabilities leverage various tools and services. The Cyber Operations team is engaged to provide timely incident response and works to minimize adverse impacts to our operations.
•The Cyber and Information Technology Governance and Compliance team works to align the Company’s cyber approach to requirements such as NIST 800-171, CMMC, and other information technology general controls. The Cyber and Information Technology Governance team develops Company policies designed to reduce, manage, and mitigate cyber risks.
•The Classified Information team maintains the Company’s classified information systems and works closely with the Company’s Industrial Security team to help the Company meet the requirements laid out by the DoD for classified systems.
44
•The Cyber/Supplier Risk Management team collaborates with the Company’s supply chain function to identify and work with critical suppliers to reduce cyber risk and minimize or eliminate collateral impacts.
As a defense contractor, we must comply with extensive regulations, including requirements imposed by the Defense Federal Acquisition Regulation Supplement related to adequately safeguarding controlled unclassified information and reporting cybersecurity incidents to the DoD. We have implemented cybersecurity policies and frameworks based on industry and governmental standards to align closely with DoD requirements, instructions and guidance.
We also participate and support multiple threat-sharing communities including the National Defense Information Sharing and Assessment Center, the defense industrial base Cybersecurity Program, and the National Defense Cyber Alliance. Participating these communities allows us to collaborate with our Defense Industrial Base sector peers, government agencies, information sharing and analysis centers, and cybersecurity associations. The Cybersecurity Program staff also maintains regular contact with the Federal Bureau of Investigation for sharing of threat information.
Third parties play a key role in support of our Cybersecurity Program. The Chief Information Security Officer coordinates third-party assessments with the Company’s Internal Audit team. Third parties are regularly engaged to assess our security controls and incident response capabilities. We invest in tools to assess our external vulnerabilities and perform penetration testing regularly.
Third-party assessment findings are logged in our internal audit system and tracked until mitigated and/or remediated. These assessments are documented and reviewed with the Company’s Chief Executive Officer and Chairman, Chief Operating Officer, Chief Information Officer, General Counsel, as well as the Government Security Committee (“GSC”) of the Board. Both the Internal Audit team and the Chief Information Security Officer are responsible for reporting any material assessment findings to their respective Board committees.
Governance
Our Board oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Chief Information Security Officer, regularly briefs our Board through the GSC depending on the nature and severity of the business impact. The Chief Information Security Officer also provides the GSC with an update on the Company’s risk management process and the risk trends related to cybersecurity at least annually. The Audit Committee maintains oversight of material risk mitigation recommendations identified by third-party assessors and receives reports as assessments occur. Cyber assessments are performed no less than annually. The full Board retains oversight of cybersecurity because of its importance and the heightened risk in the defense industry.
The Cyber Program is organized under our Chief Information Security Officer. The current Chief Information Security Officer has extensive information technology and program management experience and has served for over a decade in our corporate information security organization. He has a Masters in cybersecurity from Valparaiso University. Additionally, he has both Certified Information Systems Security Professional-Information Systems Security Management Professional (“CISSP-ISSMP”) and Certified Information Systems Auditor (“CISA”) certifications, and is also a recognized Information Technology Infrastructure Library (“ITIL”) expert. The Chief Information Security Officer reports to the Executive Vice President, General Counsel & Secretary with oversight by the Board of Directors. Over the course of the last decade, our management team has gained extensive experience investing in, providing oversight of, and setting the strategy for our cybersecurity program. Prior to joining DRS, our Chief Executive Officer oversaw the development of the DoD cybersecurity strategy while serving as Deputy Secretary of Defense from 2009 to 2011.
While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that
45
we will not experience such an incident in the future. Such incidents, whether or not successful, could result in our incurring significant costs related to, for example, rebuilding our internal systems, writing down inventory value, implementing additional threat protection measures, providing modifications or replacements to our products and services, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring significant program delays and reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. See Part I, Item 1A, “Risk Factors—Risks Related to Our Business—We are susceptible to a security breach, through cyber-attack, cyber-intrusion, insider threats or otherwise, and to other significant disruptions of our IT networks and related systems, or those of our customers, suppliers, vendors, subcontractors, partners, or other third parties” in this Annual Report.