Leidos Holdings, Inc. - (LDOS)
10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Cybersecurity risk management is an integral part of our digital posture and enterprise risk management strategy. Cybersecurity is critical to maintaining the trust of our customers and business partners, and we are committed to protecting our and their confidential and sensitive information, including personal information, and mitigating cybersecurity risks that impact our systems and networks. We maintain technologies, programs and processes designed to assess, identify, manage and mitigate cybersecurity risks. Our efforts include regular monitoring of Leidos-managed programs for internal and external cybersecurity threats, providing cybersecurity training to our employees during the onboarding process and annually, and continually reviewing and refining formal policies and procedures designed to deter, identify and remediate cybersecurity incidents. We regularly perform evaluations of our cybersecurity program and continue to invest in our capabilities to keep our customers, partners, suppliers and information assets in our possession safe. Although we employ service provider due diligence and onboarding procedures to identify potential cybersecurity risk, our ability to monitor the cybersecurity practices of our service providers is limited and there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in the information system, software, networks and other assets owned or controlled by our vendors.
Our Chief Information Security Officer leads our Cybersecurity Intelligence and Response Team (“CSIRT”) whose function is to stay apprised of existing and emerging cyber threats and monitor our global enterprise and proactively identify and protect against cybersecurity risk. The CSIRT uses intelligence collected from various sources, fused with intelligence collected from analysis and response actions, to proactively search for, and address adversary activity against the Leidos network. The CSIRT possesses in-depth knowledge of network, endpoint, perimeter security systems, identity, data protection, threat intelligence, forensics, penetration testing and malware reverse engineering, as well as the functioning of specific applications or underlying information technology infrastructure.
Leidos CSIRT owns the incident response process and provides direction and guidance to users of Leidos computing resources when responding to cybersecurity incidents. Leidos CSIRT also provides intrusion monitoring of networks and information systems and continuously monitors the Leidos computing environments and performs triage and analysis of events to identify potential incidents.
We employ multiple security and monitoring devices and applications throughout the Company to identify, alert, report and log all authorized and unauthorized access to the Leidos enterprise networks. We use an application that collects, correlates, and notifies CSIRT analysts regarding any item meeting an electronic intrusion event. We categorize anomalous cyber events into discrete levels in which cybersecurity matters are escalated to certain levels of management, as well as our Board, based on the severity of the incident, as appropriate. Sharing cyber threat information at these levels supports the Company’s ability to integrate cybersecurity considerations into its overarching risk management system and processes.
We also conduct periodic internal and third-party assessments to test our cybersecurity controls, perform cyber simulations and exercises, and continually evaluate our internal governing policies and procedures to help detect and respond to cybersecurity events in order to reduce harms or impacts from breaches and other information security incidents.
Governance
Management's Responsibilities
Our global information security program is led by our corporate Chief Information Security Officer, who works closely with key corporate functional and line of business stakeholders. The Chief Information Security Officer partners with these functions for the purpose of identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risks are monitored, implementing appropriate mitigation measures, reporting cybersecurity breaches and other information security incidents, and maintaining our cybersecurity program. The team of senior management officers, who support our information security program, have expertise with cybersecurity, as demonstrated qualifications such as by prior work experience, possession of a cybersecurity certification, degree, or other cybersecurity experience. Our management team receives regular updates on our cybersecurity posture and reviews detailed information about our cybersecurity preparedness. Additionally, we have a Leidos Security Council that is co-chaired by the Chief Information Security Officer and the Chief Security Officer to address “all security hazards” across our global enterprise to ensure cohesion and effectiveness of our combined security governance and risk mitigations.
Leidos Holdings, Inc. Annual Report - 44
PART I
Board's Roles and Responsibilities
We have a Technology and Innovation Security Committee, comprised of six board members, with relevant backgrounds and experience, that oversees and advises the Board and management on matters involving the Company’s overall strategic direction and significant business risks and opportunities in the areas of technology and information security.
At least quarterly, management provides our Board and the Technology and Information Security Committee with updates about our cybersecurity and related risk exposures, our policies and procedures to mitigate such exposures and the status of projects to strengthen our information security infrastructure and program maturity and defend against and respond to cybersecurity threats. In addition, we use a risk-based escalation process to notify the Board and the Technology and Information Security Committee outside of the regular reporting cycle should we identify a significant emerging risk or potentially material issue that should be brought to their attention.
Cybersecurity Threats
To date, we have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of our operations, or our financial condition. However, despite our efforts to identify and respond to cybersecurity threats, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors – Cybersecurity breaches and other information security incidents could negatively impact our business and financial results, impair our ability to effectively provide our services to our customers and cause harm to our reputation or competitive position” in this Annual Report on Form 10-K.
Leidos Holdings, Inc. Annual Report - 45
PART I