Spirit AeroSystems Holdings, Inc. - (SPR)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Cybersecurity Program
Our cybersecurity program is designed to detect known and anticipated threats, and contemplate various types of unexpected but possible threats. We have developed processes to identify, assess, mitigate, analyze and respond to threats, and continue to mature our cyber resiliency solutions.
We continuously monitor the cybersecurity landscape and identify active and potential threats through a combination of tools and processes. Our Global Information Security (“GIS”) team has day-to-day responsibility for Spirit’s cybersecurity program. This group is led by a Chief Information Security Officer (“CISO”) with more than twenty years of audit and cybersecurity experience. The CISO collaborates across the business, participates in internal audits, and is active in several leading industry groups to help benchmark our efforts with third parties. GIS receives and analyzes information from various resources to inform our cybersecurity program needs. An Enterprise Security Council comprised of GIS, Information Technology, Legal, Compliance, Internal Audit, and Enterprise Risk Management meets regularly to discuss emerging cyber risks and corresponding mitigations as part of our overall Enterprise Risk Management program. Significant risks are escalated to the Enterprise Risk Council which is chaired by our President and CEO, who was the Deputy Secretary of Defense during the development of the 2018 Department of Defense Cyber Strategy. We implement appropriate controls to protect our information or information we have control of on our systems, and our operations. We evaluate our controls and systems against industry-recognized standards, and contractual requirements, as applicable.
The CISO monitors and reviews our process of patching compliance, which is managed and executed via a combination of internal resources and third-party service providers. We also use third parties to supplement monitoring of cyber activity and for various special projects, which may include projects related to cybersecurity.
As part of our cybersecurity risk management program, we have planned “tabletop” exercises designed to simulate various cybersecurity threats or intrusions and help identify gaps in our preparedness, and help provide clarity in how to respond to any potential incidents. These exercises are designed to test the working level and senior leadership level, including participation by Executive Leadership Team. All employees are required to take mandatory cybersecurity training courses throughout the year. We execute simulated phishing exercises and provide direct feedback to employees who fail such simulations to help them understand how to recognize phishing attempts. Our overall program is designed to help us prevent and effectively respond to cybersecurity incidents.
33
GIS maintains an Incident Management and Response Policy that provides a classification framework for cybersecurity incidents and defines critical roles and responsibilities during a cybersecurity incident. The Incident Response Policy specifies ownership and timing of key actions and prescribes the engagement of functional leaders, senior Executives, and the Board of Directors, depending on the incident. We have developed playbooks to guide specific actions related to different incident types. Finally, we have a cyber insurance policy underwritten by a global leader in commercial insurance solutions.
Part of our Enterprise Risk Management program involves understanding risks that third parties, including those that our supply chain introduce to our organization. Our cybersecurity program is in the process of maturing how we assess third-party cyber risks, particularly in situations where we share confidential or sensitive information, or in situations where our operations may be impacted through a cybersecurity incident at a third party.
Cybersecurity Governance
The Board of Directors’ Risk Committee has the responsibility for oversight of our cybersecurity program. This committee’s membership includes subject matter experts in both cybersecurity and national security. Spirit’s CISO reports to the Risk Committee quarterly on the state of our cybersecurity program.
Cybersecurity Risks
Although cybersecurity risks have not materially affected us, including our business strategy, results of operations, or financial condition, during the period covered by this report, we are subject to various cybersecurity risks, which could, in the future, be material. For more information about the cybersecurity risks we face, see Item 1A. “Risk Factors – Risks Related to Our Operations”
Item 2. Significant Properties
The location, primary use, approximate square footage and ownership status of our principal properties as of December 31, 2023 are set forth below:
| Location | Primary Use | Approximate Square Footage | Owned/Leased | |||||||||||||||||
| United States | ||||||||||||||||||||
Wichita, Kansas(1) | Primary Manufacturing | 12.7 million | Owned/Leased | |||||||||||||||||
| Facility/Offices/Warehouse | ||||||||||||||||||||
| Tulsa, Oklahoma | Manufacturing Facility | 1.7 million | Leased | |||||||||||||||||
| Kinston, North Carolina | Primary Manufacturing/Office/Warehouse | 851,000 | Leased | |||||||||||||||||
| Dallas, Texas | Manufacturing | 199,000 | Leased | |||||||||||||||||
| Biddeford, Maine | Manufacturing | 247,000 | Owned/Leased | |||||||||||||||||
| Woonsocket, Rhode Island | Manufacturing | 79,000 | Owned/Leased | |||||||||||||||||
| United Kingdom | ||||||||||||||||||||
| Prestwick, Scotland | Manufacturing Facility | 988,000 | Owned | |||||||||||||||||
| Belfast, Northern Ireland | Manufacturing Facility/Offices | 3.1 million | Owned/Leased | |||||||||||||||||
| Malaysia | ||||||||||||||||||||
| Subang, Malaysia | Manufacturing | 411,000 | Owned/Leased | |||||||||||||||||
| France | ||||||||||||||||||||
| Saint-Nazaire, France | Primary Manufacturing/Office | 75,000 | Leased | |||||||||||||||||
| Africa | ||||||||||||||||||||
| Casablanca, Morocco | Primary Manufacturing | 312,000 | Owned | |||||||||||||||||
(1)89% of the Wichita facility is owned.
34
Our physical assets consist of approximately 20.7 million square feet of building space located on 1,497 acres in 11 facilities. Production across our Commercial, Defense & Space, and Aftermarket segments is located in our primary manufacturing facility located in Wichita, Kansas. Additional Commercial segment work is produced at our Tulsa, Oklahoma; Kinston, North Carolina; Saint Nazaire, France; Prestwick, Scotland; Belfast, Northern Ireland; Subang, Malaysia and Casablanca, Morocco facilities. Additional Defense & Space work is produced at our Tulsa, Oklahoma; Biddeford, Maine; Woonsocket, Rhode Island; Prestwick, Scotland and Belfast, Northern Ireland facilities. Additional Aftermarket segment work is produced at our Tulsa, Oklahoma; Kinston, North Carolina; Dallas, Texas; Prestwick, Scotland; Belfast, Northern Ireland and Casablanca, Morocco facilities.
The Wichita facility, which includes the Company's corporate offices, is comprised of 650 acres, 8.1 million square feet of manufacturing space, 1.9 million square feet of offices and laboratories for the engineering and design group and 2.7 million square feet for support functions and warehouses. The Wichita site has access to transportation by rail, road, and air via the runways of McConnell Air Force Base.
The Tulsa facility consists of 1.7 million square feet of building space set on 147 acres. The Tulsa plant is located five miles from an international shipping port (Port of Catoosa) and is located next to the Tulsa International Airport.
The Wichita and Tulsa manufacturing facilities have significant scale to accommodate the very large structures that are manufactured there, including, in Wichita, entire fuselages. These two U.S. facilities are in close proximity, with approximately 175 miles between Wichita and Tulsa.
The Kinston, North Carolina facility supports the manufacturing of composite panels and wing components. The primary manufacturing site and off-site leased spaces total 318 acres and 851,000 square feet. In addition to the primary manufacturing facility, this includes three additional buildings leased from the North Carolina Global Transpark Authority: a 27,800 square foot warehouse/office supporting receiving needs, a 26,400 square foot warehouse providing tooling storage, and a 121,000 square foot manufacturing facility supporting light manufacturing.
The Dallas, Texas operation is in three leased buildings totaling 199,000 square feet with proximity to the Dallas/Fort Worth logistical hub and is within seven miles of the Dallas Love Field Airport. This is a world class MRO/CRO facility that specializes in nacelle and flight control surfaces. The facility has FAA/EASA Part 145 & Part 21G certificates and services customers across the Americas.
The Biddeford, Maine site was purchased in 2020 and consists of 182,000 square feet at two owned locations on 22 total acres. The primary function of these sites is carbon/carbon composite and thermal protection system manufacturing. Additionally, this site includes two leased locations of warehouse space totaling 13,000 square feet and a fiber material building totaling 52,000 square feet.
The Woonsocket, Rhode Island site was acquired in late November 2022. The subsidiary, Spirit AeroSystems Textiles, LLC ("Spirit Textiles"), operates out of two locations within the city totaling 48,000 square feet in one owned building on 4 acres and 31,000 square feet in one leased building, producing carbon/carbon composite parts through fiber reinforcement technology.
The Prestwick facility consists of 988,000 square feet of building space, comprised of 459,000 square feet of manufacturing space, 280,000 square feet of office and lab space, and 249,000 square feet of warehouse/support space. This facility is set on 93 acres. The Prestwick plant is located within close proximity to the motorway network that provides access between England and continental Europe. It is also easily accessible by air (at Prestwick International Airport) or by sea. A portion of the Prestwick facility is leased to the Regional Aircraft division of BAE Systems and certain other tenants.
The Belfast, Northern Ireland facility consists of seven sites on 202 acres within 12 miles of the main factory at Queens Island totaling 3.1 million square feet. All on-site buildings are Spirit owned, but six sites are on leased acreage. The operations conducted at these sites include machined parts, auto-riveting and major aerostructures final assembly; fabrication and wing assembly for the A220; composite fabrication for multi-programs; sheet metal fabrication, metal bonding, chem-milling, composite parts manufacturing, and panel fabrication and assembly; nacelle production and MRO repair for multi-programs; and engineering services.
The Malaysian manufacturing plant is located at the Malaysia International Aerospace Center in Subang. The 411,000 square foot facility is 34% owned and is set on 45 leased acres and is centrally located with easy access to Kuala Lumpur, as well as nearby ports and airports. The facility assembles composite panels for wing components and sub-structures for fuselage.
35
The Saint-Nazaire, France is set on 9 acres and totals 75,000 square feet. This facility receives center fuselage frame sections for the Airbus A350 XWB from the facility in Kinston, North Carolina. Sections designed and manufactured in North Carolina are shipped across the Atlantic, received in Saint-Nazaire, and assembled before being transported to Airbus.
The Casablanca, Morocco site is set on 7 acres and totals 312,000 square feet with access to the Moroccan aeronautical hub, with the Mohammod V Airport being within two miles of the site. Operations in Casablanca include CRJ nacelle and flight commands, mid-fuselage work on the A220, nacelle work on the A320neo, and mid-fuselage work on the C350.