DELTA AIR LINES, INC. - (DAL)
10-K Filing Date: February 12, 2024
ITEM 1C. CYBERSECURITY
We are committed to safeguarding our information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Our program to protect our information assets and the management of risks to those assets supports the confidentiality, integrity, and availability of the information necessary to our long-term business success.
Risk Management & Strategy
Our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our Enterprise Risk Management ("ERM") framework. Our information security and ERM teams coordinate to regularly review and assess these risks using a wide range of tools and services. Our cybersecurity program leverages components from several industry frameworks and generally recognized best practices, including International Organization for Standardization 27001 and National Institute of Standards and Technology ("NIST") standards, such as the NIST Cybersecurity Framework, which emphasizes identification, protection, detection, response and recovery. We regularly assess our information security program capabilities and tools to improve reliability, enhance capabilities and scan our environment for vulnerabilities and weaknesses.
Our information technology teams are trained to remediate vulnerabilities identified within established timeframes and our information security team reports to management on a weekly basis regarding the security risk posture of our information technology assets. We have established a dedicated Information Technology Risk team tasked with the goal of ensuring that risk remediation activities are carried out consistently and that risk remediation controls are operating as intended and within established thresholds.
Enterprise-wide training is a vital component to reducing risk and protecting customers, employees and company information. We expect all Delta employees to adhere to information security and privacy policies as they handle corporate and customer information in their daily jobs. As a result, we require all employees and contractors with access to Delta’s information to complete annual training, which is updated as new technology, security and privacy issues emerge. All new employees are required to complete training within 30 days of hire. We also regularly conduct other training and employee education activities, including through awareness programs and campaigns.
We engage with assessors, consultants, auditors and other third parties, including by regularly having a third party review our overall cybersecurity program to help identify areas for continued focus, improvement and/or compliance. In connection with certain regulatory requirements, we are required to engage third parties to assess our cybersecurity controls.
Our cybersecurity program is subject to TSA requirements applicable to certain TSA-regulated airport and aircraft operators, including the requirement to develop a TSA-approved implementation plan describing measures we are taking to improve cybersecurity and to assess the effectiveness of those measures on an ongoing basis.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our data or our systems. Third-party risks are included within our risk assessment of vendors, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.
We regularly test our incident response processes through table-top exercises to ensure they continue to be effective as our business and the cybersecurity threat landscape evolve. Our incident response processes are designed to guide the actions we take to prepare for, detect, respond to and recover from cybersecurity incidents.
In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. We describe whether and how risks related to cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference in this Item 1C.
Delta Air Lines, Inc. | 2023 Form 10-K 27
Item 1C. Cybersecurity
Governance
Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee regularly receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer. In 2023, the Audit Committee received briefings on information security matters at all of its regular meetings. In addition, our Chief Information Officer, our Chief Information Security Officer, other members of our information technology leadership team and an outside legal expert on cybersecurity matters held a special session with all members of our Board of Directors to provide an overview of the information security environment. In addition to information provided in these meetings, members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies.
Our information security team is led by our Senior Vice President & Chief Information Security Officer, who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor.
Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Risk Council and Leadership Committee, as well as the Audit Committee and the Board, as merited.
Delta Air Lines, Inc. | 2023 Form 10-K 28
Item 2. Properties