Virgin Galactic Holdings, Inc - (SPCE)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
We utilize a risk-based approach to cybersecurity and data privacy that is intended to identify, assess, and manage information and cybersecurity risks applicable to our business, and protect the confidentiality, integrity, and availability of our critical systems and information.
We have developed and implemented an Information Security Governance Program which is structured for alignment with business objectives and visibility of material risks by senior leadership. This Program includes our cybersecurity incident response plan and supporting policies that provide guidance on detecting, assessing, reporting, and responding to cybersecurity incidents. The cybersecurity response plan is designed to ensure that senior leadership is informed about security incidents as they happen, and security incidents are managed through to closure. We have not identified any risks or incidents from known cybersecurity threats, including any residual impacts resulting from any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our operations, business strategy, results of operations, or financial condition.
Our defensive strategy is carefully managed to prevent threats that could materially impact our business operations, financial position or business strategy. We integrate several tools, policies, and services to support this strategy. These are oriented around and informed by industry standard control frameworks including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), specifically NIST 800-171, as well as ISO 27001/27002.
Our Chief Information Officer ("CIO") is principally responsible for executing our cybersecurity risk management program and has many years of experience in managing technical and cybersecurity organizations. He is supported by our Information Security Department, which includes relevant expertise and leadership, and by external cybersecurity consultants as needed. The CIO and the Information Security Department are principally focused on assessing and managing our material risks from cybersecurity threats and the prevention, detection, and minimization of the effects of cybersecurity incidents. This includes routine in-house and third-party testing, auditing, patch and vulnerability management, identity and access management, data loss prevention, threat intelligence and other information obtained from governmental, public, or private sources, and comprehensive alerting and reporting from operational tools and services.
We extend our cybersecurity and data privacy standards to our third-party service providers, where appropriate, as part of our Information Security Governance Program. Where applicable, we seek vendor compliance with industry standards such as ISO 27001 and SOC 2.
Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated oversight of enterprise risk management to the Audit Committee, including management’s implementation of our cybersecurity risk management program. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. Our Chief Information Officer presents the status of the Information Security Program to the Audit Committee quarterly and includes security control performance, technical capability enhancements, threat intelligence, information about certain cybersecurity incidents (if any) and resource performance to demonstrate the risk posture and cyber risk management practices of the organization. The Audit Committee’s risk-based decisions related to cybersecurity are primarily reflective of the information presented by the Chief Information Officer.