JETBLUE AIRWAYS CORP - (JBLU)

10-K Filing Date: February 12, 2024
ITEM 1C. CYBERSECURITY
JetBlue places great importance on safety including cybersecurity, to protect against various threats. The Company's cybersecurity strategy prioritizes detection, analysis and response to cyber threats, effective management of cyber risks, and resilience against cyber incidents. Safety is the Company's #1 value, and the strength of our safety is supported by exercising vigilance in security, including cybersecurity.
We maintain a formal cybersecurity program with guidance drawn from the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and other industry standards. This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our program is designed to protect the confidentiality, integrity, and availability of systems and data. The state of our program maturity and regulatory compliance is regularly assessed by external audits and reviews by third party cybersecurity auditors and assessors. Among the key features of our cybersecurity risk management processes are the following:
policies and procedures designed to comply with data security and privacy obligations;
security technology and tools deployed in our IT environment that help us to identify and manage critical cybersecurity risks, as well as to detect and respond to incidents;
40







security awareness training offered to our workforce, and specialized incident response training for our cybersecurity team in partnership with our Business Continuity and Emergency Response department;
a Security Operations Center that monitors and responds to incidents; and
a third-party risk management program that includes diligence and contracting processes for vendors and service providers based on their respective function and risk profile.
JetBlue management has an overall responsibility for assessing and managing risks from cybersecurity threats to the Company and has an established cyber risk committee that consists of the Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, Chief Information Officer and Chief Information Security Officer. (CISO). Our CISO has primary responsibility for the design and execution of our cybersecurity risk management program, and helps the committee stay informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, including but not limited to briefings with internal security team members, threat intelligence obtained from public and private sources, and alerts and reports produced by security tools deployed in the IT environment. Our current CISO has nearly two decades of experience in IT risk and program management, threat intelligence, and cybersecurity governance; he also has several cybersecurity industry certifications and specialized training in cybersecurity.
The CISO regularly briefs the cyber risk committee to review and evaluate potential threats and cyber risks to the Company. A cyber risk update is provided on a quarterly basis to the Audit Committee, which has delegated authority from the Board for cybersecurity risk oversight, and reports are made to the full Board on an annual basis.
For the 2023 period, we reported no material cybersecurity incidents affecting the confidentiality, integrity, or availability of data or systems. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For further information, please see our risk factors titled “Our reputation and business may be harmed and we may be subject to legal claims if there is disruption to our information technology systems or loss, unlawful disclosure or misappropriation of, or unsanctioned access to, our customers’, crewmembers’, business partners’ or our own information or other breaches of our information security” and “Data security compliance requirements could increase our costs, and any significant data breach could disrupt our operations and harm our reputation, business, results of operations and financial condition.”

41