KBR, INC. - (KBR)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Cybersecurity risk is managed within the Company’s Enterprise Risk Management program. Our Enterprise Risk Management team works closely with our global Information Assurance team to continuously evaluate and address cybersecurity risks within the Enterprise Risk Management framework in alignment with our business objectives and operational needs. The Company has established a comprehensive global cybersecurity and information security framework to help safeguard the confidentiality, integrity and access of its information assets and to ensure regulatory, contractual and operational compliance. We understand the importance of preserving trust and protecting personal and other confidential and sensitive information. To assist us, we have a cybersecurity governance framework in place, which is designed to protect information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The cybersecurity governance framework is built upon a foundation of advanced security technology, overseen by an experienced and trained team of experts with substantial knowledge of cybersecurity best practices. Our cybersecurity program includes controls designed to identify, protect against, detect, respond to and recover from cybersecurity and information security incidents.
The Company's cybersecurity and information security framework includes risk assessment and mitigation procedures through a threat intelligence-driven approach, application controls and enhanced security with ransomware defense. The framework is built upon the National Institute of Standards and Technology (NIST) Cyber Security Framework for measuring overall readiness to respond to cyber threats and incorporates International Organization for Standardizations (ISO) 27001 standards for general information technology security controls and Sarbanes-Oxley (SOX) for assessment of internal controls. KBR's global cybersecurity risk program also integrates the following cybersecurity frameworks across our regional operations: US Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171, UK Cyber Essentials and Australia's Essential Eight.
The Company utilizes policies and procedures, software, training programs and hardware solutions to protect and monitor its environment, including multifactor authentication on all critical systems, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing and identity management systems. Our Chief Information Security Officer (CISO) oversees the Company’s approach to managing cybersecurity and digital risk. Our CISO reports to the General Counsel, is supported by and collaborates with the Company's executive leadership team and regularly engages with cross-functional teams at the Company, including Digital Technology, Legal, Audit, Human Resources, Facilities and Corporate Risk. Our Chief Compliance Officer (CCO), Chief Information Officer (CIO) and CISO oversee our dedicated technology risk management, which work in partnership with our internal audit department and data privacy team to review information technology-related internal controls with our independent registered public accounting firm as part of the overall internal controls process.
The Company provides mandatory annual security awareness education and training for all employees, new hires and contractors, conducts regular internal “phishing” testing and requires additional training for “clickers,” and publishes periodic tips to inform our user population of cyber best practices, any emerging external or internal threats and data privacy requirements applicable in the jurisdictions in which we operate.
We maintain a robust Cybersecurity Incident Response Plan, which provides a framework for handling cybersecurity incidents based on the severity of the incident and facilitates cross-functional coordination across the Company, and have established a global Security Operations Center to support enterprise visibility to cyber incidents in real time. Our Incident Response Plan includes the activities necessary to comply with applicable contractual and legal obligations and mitigate brand and reputational damage. We update our Cybersecurity Incident Response Plan on a regular basis.
We also engage with a range of external experts, including cybersecurity assessors, consultants and auditors, to assess and report on the effectiveness of our cybersecurity and data privacy controls, compliance with international and regional cybersecurity standards and our internal incident response preparedness, as well as to help identify areas for continued focus and improvement. The Company also has a third-party risk management program that assesses the cyber-related risks from our vendors and suppliers. We share threat intelligence and collaborate with organizations across different industries to share best practices, fight cybercrime, enhance privacy, discuss new technologies, better understand the evolving regulatory environment and advance capabilities in these areas. We also benchmark our activities and results against select peers.
37
Our cybersecurity team also regularly tests our controls through penetration testing, vulnerability scanning and attack simulation. We conduct annual cybersecurity penetration test exercises to evaluate the Company's cybersecurity controls, Cybersecurity Incident Response plans and identify areas for improvement. The Company conducts additional cybersecurity tabletop exercises moderated by an independent third party with respect to breach and other problematic information security scenarios. During each exercise, the moderator poses questions to participants and advises how other companies typically respond to similar situations. Participants have included the Company’s CEO; Presidents; Executive Vice President, General Counsel and Corporate Secretary; Executive Vice President and Chief Financial Officer; Senior Vice President, Finance Operations and Chief Accounting Officer; Vice President and Chief Compliance Officer; CIO; and CISO; and other members of executive management and employees, as well as our board of directors when appropriate.
Risks from Cybersecurity Threats
In the last three fiscal years, we have not experienced any material information security breach incidences and the expenses we have incurred from information security breach incidences were immaterial. We have not incurred any material penalties and settlements related to any cybersecurity breach. Other risks from cybersecurity threats have also not materially impacted our business strategy, results of operations or financial condition, and as of the date of this report, we do not reasonably believe that such risks will have a material impact on our business strategy, results of operations or financial condition.
Governance
Our CISO oversees the Company’s approach to managing cybersecurity and digital risk and leads our global Information Assurance team, which includes representatives based in several of our worldwide locations. Our CISO brings over 15 years of experience, which includes implementing and verifying effectiveness of cybersecurity controls in high-security environments, serving as a cybersecurity consultant and virtual CISO to clients in the government and defense sectors, and defining and executing cybersecurity strategy to enable business delivery while simultaneously protecting IP and privacy. Our CISO maintains the following internationally recognized certifications: ISC2 - Certified Information System Security Professional (CISSP) and Project Management Institute - Project Management Professional (PMP).
Our CIO oversees the Company’s information technology infrastructure and implements policies and procedures issued by the CISO within the Company. Our CIO brings over 30 years of experience, garnered across a diverse range of industries and countries, which includes implementing new systems and modifying existing systems for changes in policies and procedures.
Management's Role Managing Risk
Our CISO is responsible for the creation of the Company’s enterprise-wide cybersecurity and information security framework, including the design effectiveness of the Company’s cybersecurity controls. Our CIO is responsible for the implementation of the Company’s cybersecurity and information security framework and the day-to-day execution of our cybersecurity processes and controls. Our governance structure applies a separation of duties approach between our CISO and CIO. The CISO, reporting to the General Counsel, is responsible for monitoring and ensuring that the Company’s cyber policy, risk assessment, verification and training responsibilities are in accordance with the relevant cybersecurity and information security framework. The CIO, reporting to the Chief Financial Officer, is responsible for the Company’s IT security operations and the implementation of policies created by the CISO. All cyber incidents under our existing cyber policy are reported to both the CISO and CIO, which are then communicated through their reporting structure to the General Counsel and Chief Financial Offer. This structure ensures visibility from senior management of operations initiatives and cyber incidents while balancing risks with business needs. The CISO and CIO routinely provide operational updates to the General Counsel and Chief Financial Officer as needed, and updates are provided by the CISO and CIO to both the Cybersecurity and Audit Committees of our board of directors at least quarterly and more often as appropriate, as discussed more fully below.
Board of Directors Oversight
Our board of directors is committed to mitigating data privacy and cybersecurity risks and recognizes the importance of these issues as part of our risk management framework. While the board of directors maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks, it has delegated certain responsibilities to our Cybersecurity Committee and Audit Committee. This committee-level focus on data privacy and cybersecurity allows the board to further enhance its oversight of our cyber risk management framework at the enterprise level. The Cybersecurity and Audit Committees jointly assist the board of directors in its oversight of our data privacy and cybersecurity needs by staying apprised
38
of our data privacy and information security programs, strategy, policies, standards, architecture, processes and material risks and overseeing responses to security and data incidents. Our board of directors, Cybersecurity Committee and Audit Committee's principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. The board of directors receives information security and privacy awareness training, which covers, among other matters, the board's oversight obligations and the privacy and security programs in place at the company. Our Cybersecurity and Audit Committees receive updates from our CISO and CIO, at least quarterly and more often as appropriate, on data privacy and security risks, including any material incidents, relevant industry developments, threat vectors and risks identified in periodic penetration tests or vulnerability scans. The committees' updates also include material legal and legislative developments concerning data privacy and security, our approach to complying with applicable law and material engagement with regulators concerning data privacy and cybersecurity from the CISO and General Counsel. Additionally, outside counsel advises the board about best practices for cybersecurity oversight by the board, and the evolution of that oversight over time. Members of the board stay apprised of the rapidly evolving cyber threat landscape through our ongoing director education programming and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program. Four members of our board of directors, two of whom serve as members of the Cybersecurity Committee, have cybersecurity experience.
39