American Airlines Group Inc. - (AAL)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
The safety and security of our customers and team members is our top priority. This includes working to put in place appropriate administrative, physical and technical cybersecurity safeguards to help protect our assets that keep our operation running and securely store the information in our care. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our systems and information.
We have created, and assess our program against, an integrated cybersecurity framework using various National Institute of Standards and Technology (NIST) security standards, guidelines and best practices. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use various NIST security standards, guidelines and best practices to identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is overseen by our Executive Cybersecurity Risk Group (ECRG) which is comprised of our Chief Digital and Information Officer (CDIO), Chief Financial Officer and Chief Legal Officer. The ECRG, working with our Chief Information Security Officer (CISO), assists the Board of Directors and our senior leadership team in fulfilling their responsibilities for cybersecurity governance, approval and oversight through the periodic reporting and review of security strategy and risk management practices. Our cybersecurity risk management program is integrated into our overall risk management processes and shares common reporting channels and governance processes that apply across the enterprise to other legal, compliance, strategic, operational, and financial risk governance programs.
Our cybersecurity risk management program includes:
•risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and our broader enterprise IT environment;
•a cybersecurity team principally responsible for managing our (1) cybersecurity risk assessment processes, (2) security controls, (3) vulnerability management program and (4) detection and response to cybersecurity incidents;
49
•the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•policies, procedures and standards that are utilized to outline expectations, guidelines and best practices for managing cybersecurity risks;
•cybersecurity awareness training for our employees, incident response personnel and senior management;
•a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
•a third-party risk management process for critical IT service providers, suppliers, and vendors.
We are constantly assessing our environment for cybersecurity threats, and we face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. At the time of this filing, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations or financial condition. See Part I, Item 1A. Risk Factors – “Evolving cybersecurity and data privacy requirements (in particular, compliance with applicable federal, state and foreign laws relating to handling of personal information about individuals) could increase our costs, and any significant cybersecurity or data privacy incident could disrupt our operations, harm our reputation, expose us to legal risks and otherwise materially adversely affect our business, results of operations and financial condition.”
Cybersecurity Governance
Our Board of Directors consider cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (Committee) oversight of cybersecurity and other information technology risks. The Committee oversees management’s implementation of our cybersecurity risk management program.
The Committee receives quarterly reports from management on our cybersecurity risks. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as certain incidents with lesser impact potential.
The Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity. The full Board of Directors also receives periodic briefings from management on our cyber risk management program. Board of Directors members receive presentations on cybersecurity topics from a combination of our CDIO, CISO, Deputy General Counsel, internal security staff, external counsel or external experts, as part of the Board of Director’s continuing education on topics that impact public companies.
Our management team, including our CDIO, CISO, Vice President and Deputy General Counsel – Chief Privacy and Data Protection Officer, Vice President of Infrastructure and Operations and additional members of the ECRG are responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Collectively, our management team has extensive information technology experience, as well as cybersecurity incident response, compliance, oversight, and program management experience. Additionally, certain leaders and personnel within the cybersecurity organization hold industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other various sources including external consultants engaged by us.
50