RTX Corp - (RTX)
10-K Filing Date: February 05, 2024
ITEM 1C. CYBERSECURITY
As a global aerospace and defense company serving commercial and government customers in the aerospace industry and domestic and international military and government customers as a defense contractor, we are the target of advanced and
27
persistent cyber-attacks from a variety of threat actors. Our products and services are highly sophisticated and specialized, involve complex advanced technologies including information technology systems, and process, store, or transmit highly sensitive unclassified and classified information. Moreover, our products and services are often integrated with third-party products and services. Cybersecurity threats include attacks on, or other attempts to infiltrate, our information technology (IT) infrastructure and the IT infrastructure of our customers, suppliers, subcontractors and other third parties, attempting to gain unauthorized access to our confidential or other proprietary information, classified information, or information relating to our employees, customers, and other third parties, or to disrupt our systems or the systems of our customers, suppliers, subcontractors, and other third parties. Cybersecurity threats also include attempts to infiltrate our products or services, including attacks targeting the security, confidentiality, integrity and/or availability of the hardware, software and information installed, stored or transmitted in our products, including after the purchase of those products and when they are incorporated into third-party products, facilities, or infrastructure.
Our Cybersecurity Program
Given the nature of our business and the cybersecurity risks we face, we have a robust cybersecurity program for identifying, assessing, and managing cybersecurity risks, which include material risks from cybersecurity threats, to our internal systems, our products, services and programs for customers, and our supply chain. Our cybersecurity program is made up of two components: our enterprise cybersecurity program and our cybersecurity program for our products and services.
Enterprise Cybersecurity. Our enterprise cybersecurity program aligns with the National Institute of Standards and Technology (NIST) standards, among others. The program includes processes and controls for the deployment of new IT systems by the Company and controls over new and existing system operation. We monitor and conduct regular testing of these controls and systems, including vulnerability management through active discovery and testing to regularly assess patching and configuration status. In addition, we require our employees and contract workers to complete annual cybersecurity training, and we regularly conduct simulated phishing and cyber-related communications.
Product and Services Cybersecurity. Our product development processes apply development, security and operations principles aligned with applicable government and commercial standards including DO-326 and NIST standards and guideline publications, and include vulnerability scanning and static and dynamic composition analysis. We regularly assess our product development processes, product cyber maturity and the teams providing our secure services in relation to cybersecurity. In addition, we strive to meet all security requirements mandated by government and commercial customers and adhere to regulatory guidance and standards for system security engineering. Many of our products also undergo industry audits and regulatory compliance certifications, and our products delivered to the Department of Defense (DoD) must comply with DoD risk management requirements where required.
Cybersecurity for U.S. Government Authorized Systems. With respect to products and services provided to, and information technology systems used in connection with programs for, the U.S. government, our cybersecurity program aligns with the NIST standard and meets the requirements of 32 CFR Part 117 and other applicable U.S. government guidance. The program includes authorization and assessment of new and existing IT systems by our customer. We monitor use on these systems, including vulnerability management through patching and configuration. In addition, we restrict user access and require authorized users to complete additional user and cybersecurity training.
Incident Response. Our cybersecurity program includes monitoring for potential security threats that may lead to vulnerabilities. We evaluate and assign severity levels to incidents, escalate and engage incident response teams based on severity, and manage and mitigate the related risks. Incidents are reported internally to members of senior management and/or the Board of Directors as appropriate based on severity and incident type and are also analyzed for external reporting requirements. Our incident response process is also designed to coordinate functions to enable continuity of essential business operation in the event of a cyber crisis.
Third Party Service Providers. We engage third party service providers to expand the capabilities and capacity of our cybersecurity program, including for design, monitoring and testing of the program’s risk prevention and protection measures, and process execution including incident detection, investigation, analysis and response, eradication, and recovery.
Management of Third-Party Risks. Our suppliers, subcontractors and third-party service providers are subject to cybersecurity obligations and controls. Prior to engagement, we assess the cybersecurity posture of third-party service providers who store, process, or transmit our information as a service, or connect to our networks. We also require our suppliers, subcontractors and third-party service providers to agree to cybersecurity-related contractual terms and conditions of purchase. Many of these third parties are also subject to regulatory requirements in mandatory government procurement clauses, including those contained in the U.S. Federal Acquisition Regulation and U.S. Defense Federal Acquisition Regulation Supplement, which obligate adherence to a generally accepted cybersecurity framework, such as NIST, and occasional
28
assessment of their implementation of cybersecurity controls as a condition of contract award or during contract performance. Finally, we require these third parties to notify us of cybersecurity incidents that impact us.
Program Assessment. We continuously evaluate and seek to improve and mature our cybersecurity processes. Our cybersecurity program is regularly assessed through management self-evaluation and ongoing monitoring procedures to evaluate our program effectiveness, including assessments associated with internal controls over financial reporting as well as vulnerability management through active discovery and testing to validate patching and configuration. Additionally, our Internal Audit function regularly assesses our program effectiveness through audits of our entities, systems and processes to help maintain compliance with policies. As cybersecurity threats are continuously evolving, we also periodically engage with third parties to perform maturity assessments of our program to identify potential risk areas and improvement opportunities. This includes assessment of our overall program, policies and processes, compliance with regulatory requirements and an overall assessment of key vulnerabilities. We use these assessments to supplement our own evaluation of the overall health of our program and target improvement areas. Several external organizations also evaluate our enterprise cybersecurity program, including the U.S. Defense Contract Management Agency (DCMA) and Cybersecurity Maturity Model Certificate (CMMC) Third Party Assessment Organization. Moreover, some of our products are audited or reviewed for regulatory compliance certification pursuant to the relevant DoD risk management framework.
Board Oversight and Management’s Role
Enterprise Cybersecurity. Our Board of Directors has primary oversight responsibility for enterprise cybersecurity risks. The Special Activities Committee supports the Board in oversight of classified business cybersecurity, including with respect to company internal information and operational technology systems. The Audit Committee also considers enterprise cybersecurity risks in connection with its financial and compliance risk oversight role.
Our global chief information security officer (CISO), under the direction of our chief digital officer, leads our enterprise cybersecurity program and is responsible for assessing and managing enterprise cybersecurity risks. Our CISO regularly updates the Board of Directors on cybersecurity risks as they relate to our information and operational technology systems and our suppliers and partners, in addition to updates on enterprise cybersecurity incidents and key Company defenses and mitigation strategies.
Our CISO is an experienced cybersecurity senior executive with more than 25 years’ experience building and leading cybersecurity, risk management, and information technology teams. In performing his role, he regularly reviews enterprise cybersecurity risks, controls, program policy and processes, including training, oversees policy and program development, implementation and updates, and informs senior leadership on cybersecurity-related issues and activities affecting the organization. Our CISO is regularly apprised of enterprise cybersecurity events, threats and activities, including with respect to incidents, protection vulnerabilities, software update needs and lifecycle status.
Product and Services Cybersecurity. The Special Activities Committee of our Board of Directors has primary oversight responsibility for cybersecurity risks related to our products and services. The full Board of Directors also receives periodic briefings from management on the Company’s product cybersecurity risks and programs. The Audit Committee also considers product and services cybersecurity risks in connection with its financial and compliance risk oversight role.
Our product cybersecurity officer (PCO), under the direction of our chief technology officer, leads our cybersecurity program for our products and services and is responsible for assessing and managing related cybersecurity risks. Our PCO updates the Special Activities Committee on cybersecurity risks as they relate to our products and services, in addition to updates on product and service cybersecurity incidents, defenses and mitigation strategies.
Our PCO is an experienced embedded systems engineer and chief engineer with nearly 20 years’ experience in the development, product assurance, and security of critical and highly regulated embedded and other computer systems in medical, aviation, and military products and services. In performing her role, she regularly reviews cybersecurity risks, controls, program policy and processes, including training, and oversees and advises teams performing policy and program development, implementation and updates. Our PCO is regularly apprised of product and service cybersecurity events, threats and activities including with respect to incidents, protection vulnerabilities, software update needs and lifecycle status.
Enterprise Risk Management
Our cybersecurity risk processes are a key element of our Enterprise Risk Management (ERM) process, which is designed to identify and evaluate the full range of significant risks to RTX Corporation (RTX). As part of our ERM program, RTX’s functional and operations departments identify and manage enterprise risks on an annual cycle. The process consists of structured reviews, discussions, and mitigation planning, and includes risks identified by our Enterprise Cybersecurity and Product Cybersecurity functions as part of the overall review of significant RTX risks. The top ERM risks are compiled
29
annually and shared with the Audit Committee of the Board of Directors as well as the full Board of Directors. In addition, Internal Audit incorporates these risks into its continuous risk assessment process and periodically audits specific ERM risks.
For more information on risks related to cybersecurity, see Item IA. “Risk Factors” of this Form 10-K.