L3HARRIS TECHNOLOGIES, INC. /DE/ - (LHX)

10-K Filing Date: February 17, 2024
ITEM 1C.CYBERSECURITY.
Risk Management and Strategy
We assess and identify material risks from cybersecurity threats primarily through the work of our Information Security organization as part of our enterprise risk management (“ERM”) process. The ERM process, administered by management with input from each business segment and function, continually monitors material risks facing L3Harris, including cybersecurity threats. Our Chief Information Officer (“CIO”), has extensive experience leading information technology for global organizations across aerospace, defense and industrials, works directly with our CEO and other members of senior management to assess cybersecurity threats as part of the ERM process. The CIO also oversees the internal cybersecurity organization of more than 100 full-time employees headed by our Chief Information Security Officer (our “Cybersecurity Team”).
Risks related to cybersecurity threats are reflected in an enterprise risk “heat map,” along with other material risks identified through the ERM process, and any mitigation plans developed to manage such risks are reported to our Board. The “heat map” includes risks related to cybersecurity threats to L3Harris and our customers, suppliers, vendors, subcontractors or other third parties, and the possibility of a data breach of our confidential, personal and proprietary information through a cybersecurity incident impacting L3Harris or any third party. We could be negatively impacted by a security breach, through cyber-attack, cyber intrusion, insider threats, supply chain incidents, or otherwise, or other significant disruption of our IT networks and related systems or of those we operate for certain of our customers. See “Item 1A - Risk Factors” in this Report for further discussion of specific risks related to cybersecurity threats.
To actively manage cybersecurity risks identified as part of the ERM process or otherwise and to manage emerging cybersecurity threats in real time, management has implemented an ISO 27001 certified Information Security Management System. Our Cybersecurity Team operates a Security Operations Center that continuously monitors activity, frequently scans applications and systems for vulnerabilities to risk from cybersecurity threats and creates action plans to address and track identified cybersecurity threats until they have been remediated. Activities and cybersecurity incidents are reported to our CIO, who briefs senior management, including our CEO, as well the Innovation and Cyber Committee of our Board (the “Innovation and Cyber Committee”) and the Audit Committee of our Board (the “Audit Committee”), as appropriate. Our Cybersecurity Team also routinely engages with third parties, including government agencies focused on cyber resiliency, to manage risks from cybersecurity threats. For example, we are members of the DoD Defense Industrial Base Collaborative Information Sharing Environment, the National Defense Information Sharing and Analysis Center, and the National Security Agency Enduring Security Framework. These organizations share real-time cybersecurity threat information and best practices in protecting, detecting and recovering from cybersecurity threats.
We also have a counterintelligence and insider threat program to detect potential external and internal threats, conducted by purposeful or unwitting actors. As a government contractor, we must comply with extensive cybersecurity regulations, including the Defense Federal Acquisition Regulation Supplement (“DFARS”) related to adequately safeguarding controlled unclassified information (“CUI”) and reporting cybersecurity incidents to the DoD. The policies and implemented controls reflect our adherence to these requirements and have been assessed by external organizations, including industry partners and the federal government.
To mitigate cybersecurity risk introduced from our supply chain, we have a dedicated Cybersecurity - Supply Chain Risk Management team. This team assesses new suppliers against best cybersecurity practices, ensures cybersecurity regulations are contractually obligated and coordinates mitigation actions across the company if a supplier is impacted by a cybersecurity incident. They utilize industry monitoring services to identify potential supply chain incidents and work closely with our Cybersecurity team to understand the latest threats affecting our industry.
_____________________________________________________________________
19


Additionally, as part of our processes to manage risks related to a breach in our information systems, management requires employees to take annual cybersecurity training and shares regular awareness updates regarding cybersecurity threats. Our Cybersecurity Team regularly tests employees throughout the year to assess the effectiveness of the cybersecurity training. We also periodically conduct penetration testing of our network, hold tabletop exercises of cyber incidents, and undertake cybersecurity assessments led by Internal Audit to improve our risk mitigation and assist in the determination of a potential material impact caused by a cybersecurity incident.
Governance
The Audit Committee provides regular oversight and review of our ERM process and other guidelines and policies governing the processes by which our CEO and senior management assess our exposure to risk, including risk from cybersecurity threats. The Innovation and Cyber Committee receives regular briefings from our CIO, Chief Information Security Officer and other members of senior management on cybersecurity threats and related matters and assists the Audit Committee in its oversight and review of our ERM process.
The Innovation and Cyber Committee reviews our cybersecurity risk across the enterprise at least annually, including IT, supply chain and products and our cybersecurity strategy framework and operational posture. The Innovation and Cyber Committee also reviews our IT, data security and other systems, processes, policies, procedures and controls at least annually to (a) identify, assess, monitor and mitigate cybersecurity risks; (b) identify measures to protect and safeguard against cybersecurity threats and breaches of confidential information and data and IT infrastructure and our other assets or assets of our customers or other third parties in our possession or custody; (c) support the response and management of cybersecurity threats and data breach incidents; and (d) aid in compliance with legal and regulatory requirements governing cybersecurity or data security reporting requirements. The Innovation and Cyber Committee reports its activities to the full Board on a regular basis and makes such recommendations to the Board and management with respect to risks from cybersecurity threats and other matters as it deems necessary or appropriate.

© 2024 Material-Incidents. All rights reserved.