SOUTHWEST AIRLINES CO - (LUV)

10-K Filing Date: February 06, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

Risk Assessment and Management

The Company is increasingly dependent on the use of complex technology and systems to run its operations and support its strategic objectives. These technologies and systems include, among others, the Company's website and reservation system; flight dispatch and tracking systems; flight simulators; check-in kiosks; aircraft maintenance, planning, and record keeping systems; telecommunications systems; flight planning and scheduling systems; crew scheduling systems; human resources systems; and financial planning, management, and accounting systems. Additionally, the Company must receive certain confidential or personal information related to its Customers and
48

Employees to run its business, and the Company's operations depend upon secure collection, processing, retention, and transmission of such information. Therefore, the performance, reliability, and security of the Company's technology infrastructure and information systems are critical to the Company's operations and initiatives.

The Company has an enterprise risk management (“ERM”) program to identify, evaluate, and manage risks. Cybersecurity risks are evaluated alongside other critical business risks under the ERM program to align cybersecurity efforts with the Company's broader business goals and objectives. The Company believes that integrating cybersecurity risks into its ERM program fosters a proactive and holistic approach to cybersecurity, which helps safeguard the Company’s operations, financial condition, and reputation in an ever-evolving threat landscape.

The Company maintains a cybersecurity program that is designed to identify, protect from, detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. The National Institute of Standards and Technology Cybersecurity Framework helps the Company inform its cybersecurity agenda and prioritize its cybersecurity activities. The Company takes a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect the Company’s operations, finances, legal or regulatory compliance, or reputation. Once identified, cybersecurity risks and related mitigation efforts are prioritized based on their potential impact, likelihood, velocity, and vulnerability, considering both quantitative and qualitative factors. Risk mitigation strategies are developed and implemented based on the specific nature of each cybersecurity risk. These strategies include, among others, the application of cybersecurity policies and procedures, implementation of administrative, technical, and physical controls, and Employee training, education, and awareness initiatives. The Company’s cybersecurity risk management also includes a Security Operations Center (“SOC”) that conducts ongoing monitoring of networks and systems for potential signs of suspicious activity. The SOC is a centralized function that monitors security alerts to initiate triage, verification, and remediation activities. Additionally, the Company’s cybersecurity program provides mechanisms for Employees to report any unusual or potentially malicious activity they observe. The Company tracks key performance indicators and cybersecurity metrics to evaluate the efficacy of its cybersecurity controls and practices. Further, the Company’s cybersecurity program is periodically reviewed by its Cybersecurity Leaders (as defined below) and adjusted in an effort to maintain the program’s agility and responsiveness as circumstances evolve, new cybersecurity threats emerge, and regulations change.

Incident Response

The Company has a dedicated cybersecurity incident response team responsible for managing and coordinating the Company’s cybersecurity incident response efforts. This team also collaborates closely with other teams in identifying, protecting from, detecting, responding to, and recovering from cybersecurity incidents. Cybersecurity incidents that meet certain thresholds are escalated to the Cybersecurity Leaders and cross-functional teams on an as-needed basis for support and guidance. Additionally, this team tracks cybersecurity incidents to help identify and analyze them. The Company’s cybersecurity incident response team partners with the Company’s internal cybersecurity teams as well as with external legal advisors, communication specialists, and other key stakeholders as appropriate to respond to cybersecurity incidents. The Company maintains a cybersecurity incident response plan to prepare for and respond to cybersecurity incidents. The incident response plan includes standard processes for reporting and escalating cybersecurity incidents to senior management. Additionally, the Company conducts at least one cybersecurity tabletop exercise on an annual basis, where members of a cross-functional team engage in a simulated cybersecurity incident scenario. This preparedness exercise is intended to provide hands-on training for the participants and helps the Company assess its processes and capabilities in addressing cybersecurity threats.

Use of Third Parties

Cybersecurity Service Providers and Third-Party Consultants. The Company engages cybersecurity consultants, auditors, and other third parties to assess and enhance its cybersecurity practices. These third parties conduct assessments, penetration testing, and vulnerability assessments to identify weaknesses and recommend
49

improvements. Additionally, the Company leverages a number of third-party tools and technologies as part of its efforts to enhance cybersecurity functions. This includes a managed security service provider to augment the Company’s dedicated SOC team, an endpoint detection and response system for continuous monitoring, detection, and response capabilities, and a security information and event management solution to automate real-time threat detection, investigation, and prioritization of high-fidelity alerts.

Oversight of Third-Party Service Providers. The Company also uses third-party service providers to support its operations and many of its technology initiatives. The Company evaluates third-party service providers from a cybersecurity risk perspective, which may include an assessment of that service provider’s cybersecurity posture or a recommendation of specific mitigation controls. Following an evaluation, the Company determines and prioritizes service provider risk based on potential threat impact and likelihood, and such risk determinations drive the level of due diligence and ongoing compliance monitoring required for each service provider.

Risks from Material Cybersecurity Threats

As of the date of this report, the Company has not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the organization. Although the Company has not experienced cybersecurity incidents that are individually, or in the aggregate, material, the Company has experienced cyberattacks in the past, which the Company believes have thus far been mitigated by preventative, detective, and responsive measures put in place by the Company. For a detailed discussion of the Company’s cybersecurity related risks, see “Item 1.A Risk Factors—Information Technology Risks.”

Cybersecurity Governance

Board Oversight

The Board is responsible for overseeing management’s assessments of major risks facing the Company and for reviewing options to mitigate such risks. The Board’s oversight of major risks, including cybersecurity risks, occurs at both the full Board level and at the Board committee level through the Audit Committee.

The Board. The Chief Executive Officer, the Chief Operating Officer, the Chief Financial Officer, members of senior management, and other personnel and advisors, as requested by the Board, report on the Company’s financial, operating, and commercial strategies, as well as major related risks, which may include cybersecurity risks, at regularly scheduled meetings of the Board. Based on these reports, the Board requests follow-up data and presentations to address any specific concerns and recommendations. Additionally, the Audit Committee has opportunities to report regularly to the entire Board and review with the Board any major issues that arise at the committee level, which may include cybersecurity risks.

The Audit Committee. The Audit Committee reviews with management the Company’s technology and cybersecurity frameworks, policies, programs, opportunities, and risk profile at its regularly scheduled meetings. The Company’s Chief Information Officer (“CIO”), Chief Information Security Officer (“CISO”), members of the cybersecurity team, or other advisors, as requested by the Audit Committee, report quarterly on the Company’s technology, data privacy, and cybersecurity strategies and risks. Cybersecurity topics are presented to the Audit Committee on a quarterly basis and generally highlight any significant cybersecurity incidents, the cyber threat landscape, cybersecurity program enhancements, cybersecurity risks and related mitigation activities, and any other relevant cybersecurity topics. Management believes that this regular cadence of reporting helps to provide the Audit Committee with an informed understanding of the Company’s dynamic cybersecurity program and threat landscape. The Audit Committee further reviews with management the Company’s business continuity and disaster recovery plans and capabilities and the effectiveness of the Company’s escalation procedures. Based on these management reports, the Audit Committee may request follow-up data and presentations to address any specific concerns and recommendations. In addition to this regular reporting, significant cybersecurity risks or threats may also be escalated on as needed basis to the Audit Committee.

50

Management’s Role

The Company has a dedicated cybersecurity organization within its technology department that focuses on current and emerging cybersecurity matters. The Company’s cybersecurity function is led by the Company’s CISO, who reports to the Company’s CIO. The CISO and CIO (collectively, the Company’s “Cybersecurity Leaders”) are actively involved in assessing and managing cybersecurity risks. They are responsible for implementing cybersecurity policies, programs, procedures, and strategies. The responsibilities and relevant experience of each of the Cybersecurity Leaders are listed below:

The CIO provides leadership for the Company’s technology department. The CIO holds an undergraduate degree from Cornell and has served in various roles in information technology for over 20 years, including Vice President, Senior Director, Manager and Consultant.

The CISO is responsible for all aspects of cybersecurity across the Company’s facilities, airports, and aircraft fleet, which includes security engineering, security operations, incident response, threat intelligence, risk and compliance, and vulnerability management. The CISO has served in various roles in information technology for nearly 40 years at numerous technology companies and consulting firms. The CISO earned a Bachelor of Science in Industrial Engineering from Louisiana State University, a Master of Science in Management Information Systems from The University of Texas at Dallas, and a Master of Business Administration from Southern Methodist University.

The Company’s cybersecurity department is comprised of teams that engage in a range of cybersecurity activities such as threat intelligence, security architecture, and incident response. These teams conduct vulnerability management and penetration testing to identify, classify, prioritize, remediate, and mitigate vulnerabilities. Leaders from each team regularly meet with the Cybersecurity Leaders to provide visibility of major issues and seek alignment with strategy. As noted above under “Incident Response,” the Company’s cybersecurity incident response plan includes standard processes for reporting and escalating cybersecurity incidents to senior management. Cybersecurity incidents that meet certain thresholds are escalated to the Cybersecurity Leaders and cross-functional teams on an as-needed basis for support and guidance. The Company’s incident response team also coordinates with external legal advisors, communication specialists, and other key stakeholders.
51