BWX Technologies, Inc. - (BWXT)
10-K Filing Date: February 27, 2024
Item 1C. CYBERSECURITY
We seek to provide a secure working environment by establishing and maintaining effective security measures to protect the Company’s employees, properties, technology, and our customers’ assets from potential threats, including cybersecurity threats. Accordingly, we have implemented numerous controls, technologies and processes and have integrated operational measures into our overall risk management system to assess, identify, and manage material risks from internal and external cybersecurity threats.
The Governance Committee of our Board of Directors oversees the Company’s guidelines, policies, and processes to assess and manage the Company’s exposure to risks, which include cybersecurity risks. The Committee meets periodically with management to review and discuss major financial risk exposures, including from cybersecurity threats, and the steps management has taken to monitor and control those exposures. As necessary, our Cybersecurity Incident Management Team (“CIMT”) (described below) reports significant cybersecurity threats and incidents to the Governance Committee. The Governance Committee is also periodically briefed by management, including our Chief Digital Officer (“CDO”), with respect to our cybersecurity posture to facilitate its role in overseeing the Company’s overall cybersecurity program.
As a general matter, our CDO is responsible for defining our entire cybersecurity posture. The CDO has oversight in planning the strategy, programs, policies, and procedures to protect the organization’s digital assets, information, and infrastructure. Our IT Director, Cyber Security serves as the CIMT’s Incident Manager and is the member of management primarily responsible for assessing, identifying, mitigating, and managing cybersecurity risks; supervising IT security design, development, implementation, and testing; and running the day-to-day operations of our cybersecurity team. Our CDO holds a bachelor’s degree in electronics and telecommunications engineering and has more than 35 years of information technology and cybersecurity experience in various leadership and executive roles. In addition, our IT Director, Cyber Security holds a bachelor’s degree in computer information systems and the Certified Information Systems Security Professional (CISSP) and Information Systems Security Architecture Professional (ISSAP) certifications, as well as over 30 years of experience as an information technology professional with the most recent 15 years specializing in cybersecurity.
The CIMT is responsible for coordinating the containment, response, investigation, reporting, and recovery related to a cybersecurity incident, and is an internally led management team made up of leaders from our Communications, Human Resources, IT and Cybersecurity, Legal and Compliance, Risk Management and other departments, including our IT Director, Cyber Security. Team members possess a broad scope of expertise, including cybersecurity, information technology, legal, compliance, risk management, insurance and crisis communications. The CIMT operates under the co-leadership of the General Counsel and CDO, who are responsible for oversight and composition of the CIMT, determining whether an incident warrants activating external service providers, providing updates to the Chief Executive Officer and Senior Management Team, keeping
26
our Governance Committee as well as our Board of Directors informed as appropriate, and ultimately establishing and executing our enterprise-wide incident response strategy.
Training and preparation are essential to the overall success of the CIMT to help ensure team members develop and maintain the operational, technical, and managerial skillsets necessary to support the effective function of the CIMT. Our CIMT members undergo training and preparation for cybersecurity incidents like participating in regular cybersecurity incident response tabletop exercises and reviewing lessons learned. Our general cybersecurity team receives extensive on-the-job training with respect to cybersecurity operations, maintenance, analysis, detection, investigation, mitigation, and protection. In addition, company-wide cybersecurity and insider threat training is mandated for our employees.
We have processes and controls that oversee, identify, and manage cybersecurity risks with respect to our external service providers, including cybersecurity service providers. For example, we review and seek to negotiate terms and conditions in our legal agreements to provide for the adequate protection of confidential information and the Company’s networks and systems and compliance with any applicable cybersecurity requirements, including with respect to any information exchanged. We also review the security controls of hosted solutions in an effort to ensure protection is commensurate with our security requirements. We periodically revalidate those cybersecurity control reviews commensurate with the risk identified. Further, we utilize an external security assessment service to produce security ratings that include detailed descriptions of deficiencies affecting the rating. We seek to respond accordingly to those deficiencies to the extent practicable. Lastly, as appropriate and when feasible, we may visit our service providers’ facilities to observe security practices and physical security controls.
Despite taking extensive precautions, cybersecurity incidents are still possible. In general, when our cybersecurity team detects a cybersecurity threat by way of an alert within our cyber defense systems, employee notice, or otherwise, our IT Director, Cyber Security, along with other relevant personnel, is promptly apprised of the situation, and actively takes steps to prevent, mitigate, or remediate that threat. If a cybersecurity threat appears to progress into a possible cybersecurity incident, our IT Director, Cyber Security serves as the CIMT’s incident manager and the CDO or designee notifies the Chief Risk Officer of a need to activate the CIMT as appropriate, informs and updates the CIMT, and may consult other internal and external resources with the required technical, application, organizational, and business knowledge to provide effective advice to the CIMT.
The CIMT responds to potential cybersecurity incidents raised to its attention by making an assessment of the event to determine if a cybersecurity incident has, in fact, occurred, identifying any assets impacted by the incident, determining any information stored and processed by assets identified as compromised, assessing the nature and level of damage that has occurred (accessed, exfiltrated, released to the public, etc.), and revising the assessment throughout the incident response process when additional details are identified.
As a U.S. Government contractor, we may be prone to a greater number of those threats than companies in other industries. We believe we are well positioned to meet the requirements of the Cybersecurity Maturity Model Certification ("CMMC") program and are preparing for certification once the requirements are effective. As of the date of this Report, risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition. However, there can be no guarantee that cybersecurity threats and incidents will not materially affect us in the future. See Item 1A of this Report for more information on our cybersecurity risks.
27