ALASKA AIR GROUP, INC. - (ALK)

10-K Filing Date: February 14, 2024
ITEM 1C. CYBERSECURITY

Air Group’s management and Board consider cybersecurity to be a critical component of the Company’s risk management plan. Our systems are subject to increasing and evolving cybersecurity risks. Unauthorized parties have attempted and continue to attempt to gain access to our systems and information, including through fraudulent misrepresentation and other means of deception. The systems of our suppliers, vendors, and other business partners are also at risk. The threat of cybersecurity incidents is included within our company’s annual enterprise risk management (ERM) program that assesses the most significant risks to the enterprise.

Because of the industry in which we operate, we are subject to extensive regulatory requirements connected to cybersecurity, including but not limited to those overseen by the FAA, TSA, and DOT. As a result, it is imperative our cybersecurity risk management is well-planned and sufficiently robust to maintain compliance with these regulations.

The Company’s Chief Information Security Officer (CISO) is responsible for management of material risks from cybersecurity threats. The CISO has multiple years of experience working in information and network security management, and has in-depth knowledge of compliance requirements and standards set by various regulatory agencies. The CISO leads a team dedicated to the prevention, mitigation, detection, and remediation of any cybersecurity incidents. If a potential incident is identified, the CISO is notified and engages the cybersecurity incident response team (CyberSIRT). This team is responsible for declaring a cybersecurity incident and is comprised of individuals from multiple relevant departments. In the event the CyberSIRT declares an incident, the CISO provides overall direction for the response and mitigation of the threat. This response includes actions
31


taken to protect our data and networks, evaluation of the potential materiality of the incident, and the communication of the incident to critical parties, including senior leadership and the Board of Directors.

As part of our annual review of our cybersecurity risk management, we engage third-parties for a variety of processes including external audits, vulnerability assessments, and penetration tests. These processes help ensure our overarching strategy remains effective over time.

The Board of Directors is responsible for overseeing management’s processes to identify and mitigate risks, including cybersecurity risks. The Board’s Audit Committee leads the review and discussion of cybersecurity threats with management and receives updates from the CISO each quarter. Senior management, including the CISO, are available to address questions or concerns from the Audit Committee related to our risk management plan.

In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our organization. For additional discussion related to the Company’s consideration of cybersecurity risks and their potential impact on our business strategy, results of operations, or financial condition, please refer to Part I, Item 1A. “Risk Factors” in this document.

© 2024 Material-Incidents. All rights reserved.