KRATOS DEFENSE & SECURITY SOLUTIONS, INC. - (KTOS)
10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan (“IRP”). The purpose of the IRP is to provide a structured and systematic incident response process for all Information Security Incidents that affect any of our or our subsidiaries’ information technology systems, network, or data, including data of ours and our subsidiaries held, or IT services provided by, third-party vendors or other service providers.
We developed and maintain our program as required by applicable laws and regulations, including without limitation Cybersecurity Maturity Model Certification (CMMC) and 17 CFR Part 229.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across our global enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
We have designated our Chief Information Officer (CIO) to implement and maintain the IRP. Our CIO has over 20 years of experience in the field of cybersecurity and is responsible for the management of our cybersecurity and data privacy program. Among other information security duties, the CIO is responsible for:
•implementing the IRP,
•identifying and managing an incident response team (“IRT”) principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents,
•coordinating IRT activities, including developing, maintaining, and following appropriate procedures to respond to, appropriately escalate, make decisions regarding, and document identified cybersecurity incidents,
•conducting post-incident reviews to gather feedback on identified cybersecurity incident response procedures and address any identified gaps in security measures,
•providing training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of the IRP, and
•reviewing the IRP at least annually, or whenever there is a material change in our business practices that may reasonably affect its cybersecurity incident response procedures.
Our cybersecurity risk management program includes:
•risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment including risks associated with ransomware;
•the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•cybersecurity awareness training of our employees, incident response personnel, and senior management;
•a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
46
•a third-party risk management process for service providers, suppliers, and vendors.
We have developed processes to identify and oversee risks from cybersecurity threats associated with our third-party service providers, which includes the information security team assisting with and assessing cybersecurity robustness during vendor onboarding as well as risk-based monitoring of vendors on an ongoing basis.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Governance
Our Board considers cybersecurity risk as part of its risk oversight function and oversees management’s implementation of our cybersecurity risk management program.
The Board receives regular reports from management on our cybersecurity risks. In addition, management updates the Board, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.
Board members receive presentations on cybersecurity topics from our CIO, internal security staff or external experts as part of the Board’s continuing education on topics that impact public companies.
Our management team is responsible for assessing and managing our material risks from cybersecurity threats. Our CIO regularly informs our management team of all aspects related to cybersecurity risks and incidents. This is designed to ensure that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained cybersecurity consultants.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.
Impact of Cybersecurity Risks on Business Strategy, Results of Operations or Financial Condition
Cybersecurity threats, such as threats of attacks from computer hackers, cyber criminals, nation-state actors and other malicious internet-based activity, continue to increase. Cybersecurity threats also include threats of attacks involving social engineering and cyber extortion to induce customers, contractors, business partners, third-party service providers, employees and other third parties to disclose information, transfer funds or unwittingly provide access to systems or data.
We believe that our current preventative actions and response activities provide adequate measures of protection against security breaches and generally reduce our cybersecurity risks. However, cybersecurity threats are constantly evolving, are becoming more frequent and more sophisticated and are being made by groups of individuals with a wide range of expertise and motives, which increases the difficulty of detecting and successfully defending against them. While we have implemented measures to safeguard our operational and technology systems and have established a culture of continuous learning, monitoring and improvement, the evolving nature of cybersecurity attacks and vulnerabilities means that these protections may not always be effective. In the ordinary course of our business, we have experienced and expect to continue to experience cyber-based attacks and other attempts to compromise our information systems, although none, to our knowledge, has had a material adverse effect on our business, financial condition or results of operations. While we do not believe cybersecurity threats are reasonably likely to affect us, our business strategy, our results of operations or our financial conditions, like all companies, we face a risks of such threats, the consequences of which could be material. See Item 1A – Risk Factors – Risks Related to Our Operations – “Cybersecurity breaches or disruptions of our information technology systems could negatively impact our operations,” above. In addition, given the constant and evolving threat of cyber-based attacks, we incur significant costs in an effort to detect and prevent security breaches and incidents, and these costs may increase in the future.