Spirit Airlines, Inc. - (SAVE)

10-K Filing Date: February 09, 2024
ITEM 1C. CYBERSECURITY

The Company’s cybersecurity program is designed to secure the continuity of operations and protect the privacy of company, guest and team member data. The Company uses multiple layers of security controls and unique threat intelligence within the “Center for Internet Security v8 Cybersecurity Framework” across five core security functions: Identify risks and threats, Protect, Detect, Respond and Recover. In addition, the Company requires that its employees complete annual compliance training on cybersecurity and online habits.

The Company’s cybersecurity program is managed by a dedicated cybersecurity function reporting to the Chief Information Security Officer (“CISO”) who reports to the Chief Information Officer (“CIO”) and is responsible for the Company’s cybersecurity strategy, policies, standards, architecture and process. The CISO has over 20 years of executive experience in IT operations and security, primarily in the airline industry, and maintains several active certifications in Risk and Information Security including CIPPUS, CISSP-ISSMP, CISM, CRISC, and CISSP. The program includes periodic and ad hoc reporting on relevant developments, including monitoring, prevention, detection, mitigation and remediation of the current cybersecurity landscape as well as reporting on any cybersecurity incidents to the Company’s CEO and the Safety, Security and Operations Committee of the Board of Directors, which has oversight of management’s cybersecurity function. The CISO also engages external government and commercial expertise to continuously evaluate, test and adapt the program. External vendors participate in in-depth security assessments based on the Company’s vendor management security policy.

Currently, the Company is not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company’s operations. However, the nature of potential cybersecurity risks and threats are uncertain, and any future incidents, outages or breaches could have a material adverse effect on the Company’s business strategy, results of operations or financial condition.