TEXTRON INC - (TXT)

10-K Filing Date: February 12, 2024
Item 1C. Cybersecurity
Overview
Our IT and related systems are critical to the efficient operation of our business and essential to our ability to perform day to day processes. We face persistent security threats, including threats to our IT infrastructure and unlawful attempts to gain access to our confidential, classified or otherwise proprietary information, or that of our employees or customers, via phishing/malware campaigns and other cyberattack methods.
Our centrally defined security policies and processes are based on industry best practices and are revisited regularly to ensure their appropriateness based on risk, threats and current technological capabilities. We monitor compliance with these policies and processes through frequent internal audits and a set of robust metrics that assist in protection of our environment. As a U.S. defense contractor, we are additionally obligated to comply with current Department of Defense regulations such as Defense Federal Acquisition Regulation Supplement and the evolving Cybersecurity Maturity Model Certification guidelines.
We maintain Information Systems Incident Management Standards applicable to all our businesses that are intended to ensure information security events and weaknesses associated with information systems are communicated and acted on in a timely manner. Our disclosure controls and procedures address cybersecurity and include processes intended to ensure that security breaches are reported to appropriate personnel and, if warranted, analyzed for potential disclosure. While we have experienced cybersecurity attacks, such attacks to date have not materially affected the Company or our business strategy, results of operations, or financial condition.
Governance
Board Oversight of Cybersecurity Matters
Oversight of information security matters is conducted by our full Board of Directors. The Board annually receives a comprehensive presentation on information security and controls from our Chief Information Officer (CIO) and, as may be necessary for specific topics, follow up occurs at additional meetings during the course of the year.
Management of Cybersecurity Risks
Textron Information Services is led by our CIO who has held positions of increasing responsibility within our corporate, Bell and Textron Systems IT organizations since 2008, including leading the IT organizations at both segments in maintaining compliance with U.S. Department of Defense information security requirements, as well as with our enterprise information security policies and standards. He previously led strategic IT projects and teams responsible for delivering global IT solutions for several large U.S. based companies.
16


Our corporate information security organization, led by our Chief Information Security Officer (CISO), who reports to our CIO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. Our CISO has more than 20 years of experience in the field of information security and holds multiple cybersecurity certifications including the designation of Certified Information Systems Security Professional.
Risk Management
Cybersecurity related risks have been identified as material business risks, and identifying, assessing and managing these risks is integrated into our Enterprise Risk Management (ERM) process, which is designed to identify, assess and guide in managing material risks throughout Textron at both the business segment and enterprise levels. We maintain cyber risk/network protection mitigation plans through our ERM process to assist in management of these risks. Our full Board oversees our ERM process through discussions at our Board of Directors’ Annual Strategic Business and Risk Review and at an annual dedicated ERM Review. In addition, high risk areas, including cybersecurity matters, are reviewed and discussed with the full Board or other Board Committees, as appropriate. The Audit Committee, as reflected in its charter, has been designated to assist the Board in its oversight of our ERM process, including with respect to cybersecurity risk.
We maintain a detailed Cybersecurity Incident Response Plan that guides our incident response process. Upon the occurrence of a cybersecurity event, the cyber incident response team will follow a predefined process, documenting each step taken, to analyze and validate the event, and, if a cybersecurity incident is suspected to have occurred, quickly perform an initial analysis to determine the incident’s scope. The team will prioritize the response to each incident based on its estimate of the business impact caused by the incident and the estimated efforts required to recover from the incident. Notification of the incident is made to various stakeholders, including senior management and, if appropriate based upon the incident severity assessment, our Board. The team will also conduct incident containment, eradication and recovery, and post incident activity.
Strategy
Our Security Culture
We protect our information assets and manage risk by promoting a culture that communicates security risks, designs secure IT systems and operates according to approved processes to reduce the likelihood and impact of security incidents. We achieve this objective by:
Designing, implementing and maintaining solutions with appropriate security controls.
Sustaining solutions with required patching and vulnerability remediation.
Creating and executing controls in support of policy as well as regulatory compliance.
Ensuring that our policies, processes, practices and technologies proactively protect, shield, defend and remediate cyber threats.
Delivering quality communications and annual training to stakeholders on cyber awareness and computing hygiene.
We believe that the conduct of our employees is critical to the success of our information security. Through our security awareness program, we keep our employees apprised of threats, risks and the part that they play in protecting both themselves and the company. We conduct periodic compliance training for our employees regarding the protection of sensitive information, which includes training intended to prevent the success of cyberattacks. We also conduct regular phishing simulations to increase employee awareness on how to spot phishing attempts, and what to do if they suspect an email to be a phishing attack.
We execute penetration testing against our technical environment and processes, and continuously monitor our network and systems for signs of intrusion. We also retain consultants to enhance our penetration testing program with current trends and methodologies utilized against other companies, ensuring we are proactively reducing risk from emerging threats. These penetration tests are conducted at a random interval and target our infrastructure and certain of the products we deliver to our customers.
We have a rigorous process, including a formal IT risk assessment, to assess our service providers prior to allowing our information to be processed, stored or transmitted by third parties, and we include standardized contractual requirements in each contract where appropriate. We validate our service providers’ security via questionnaires, open-source intelligence and, where appropriate, SOC1 reports on financially significant third-party service providers. Our process also includes regular monitoring of risk related to third parties on a periodic basis or when services or product purchases expand beyond their original scope or intended use.
Protections against insider threat is a critical component of our security strategy, particularly within our defense business units. Our insider threat detection processes are designed to identify and evaluate potential insider threats so that appropriate mitigation can be implemented.
17


Collaboration with our industry partners and government customers contributes to the protection of Textron’s computing environment as well as our military stakeholders. Textron is engaged with various industry groups such as Aerospace Industries Association, National Defense Information Sharing & Analysis Center and our Defense Industrial Base colleagues to ensure that we are aware of and are addressing the latest adversarial threats. Additionally, we share cyber best practices with industry peers to help to make the industry more secure.