HUNTINGTON INGALLS INDUSTRIES, INC. - (HII)
10-K Filing Date: February 01, 2024
ITEM 1C. CYBERSECURITY
Our cybersecurity program (the “Cybersecurity Program”) includes processes to identify, assess, and manage material risks from cybersecurity threats. The Cybersecurity Program processes utilize a risk-based approach and include written cybersecurity and information technology policies and procedures, including a cybersecurity incident response plan.
The Cybersecurity Program is informed, in part, by the guidelines of the National Institute of Standards and Technology Cybersecurity Framework to define material risks and establish controls designed to protect, detect, respond to, and recover from cybersecurity incidents. Controls are embedded within our processes and technology, and system activities are measured and monitored by our cybersecurity and information security subject matter specialists and applicable security operations centers at our different business units. We utilize an enterprise-wide “defense-in-depth” risk management strategy to effectively integrate people, processes, and technology.
When appropriate, we use external subject matter specialists to provide incident response services and to conduct independent assessments of internal response readiness. We conduct tabletop scenario planning, covering a range of potential cybersecurity threats, as part of our internal response readiness assessment. We also maintain a supply chain cybersecurity compliance and risk mitigation program to assess material cybersecurity risk from third parties.
Governance
In 2019, our board of directors established a standing Cybersecurity Committee, which is tasked with oversight of the Cybersecurity Program, including: (i) strategy and governance; (ii) operations; and (iii) risk management and regulatory compliance.
26
The Cybersecurity Committee responsibilities include:
•reviewing our enterprise cybersecurity strategy and framework, including our assessment of cybersecurity threats and risk, data security programs, and our management and mitigation of cybersecurity and information technology risks and potential breach incidents;
•reviewing any significant cybersecurity incident that has occurred, reports to or from regulators with respect thereto, and steps that have been taken to mitigate against reoccurrence;
•evaluating the effectiveness of our cyber risk management and data security programs measured against our cybersecurity threat landscape;
•assessing the effectiveness of our data breach incident response plan;
•reviewing and assessing our information technology disaster recovery capabilities; and
•reviewing our assessment of cybersecurity threats and risk associated with our supply chain and actions we are taking to address such threats and risks.
The Cybersecurity Committee receives reports and updates at committee meetings from our Chief Information Officer (“CIO”), Chief Information Security Officer (“CISO”), and other executives and cybersecurity specialists. Following each committee meeting, the chair of the Cybersecurity Committee briefs the full board of directors on matters covered at the prior Cybersecurity Committee meeting. The board also receives periodic briefings on emerging trends in order to enhance its literacy on cybersecurity issues. At least annually, the Cybersecurity Committee receives updates about the results of the Cybersecurity Program reviews.
The Cybersecurity Committee participates with management periodically in “tabletop” exercises to evaluate our data breach incident response plan.
Management’s Role and Expertise in Assessing and Managing Cybersecurity
Our Cybersecurity and Information Technology organization is led by our CIO, who is responsible for cybersecurity risk management, with oversight by the Cybersecurity Committee of the board of directors. Our CIO has more than 25 years of experience in the IT industry. Since 2008, he has held senior-level and CIO positions for several companies, each of which included responsibilities or influence for cybersecurity implementation delivery and oversight.
Our CISO executes the Cybersecurity Program with the support of the Cybersecurity Management Team, which has extensive cybersecurity expertise to protect and defend our networks, physical systems, infrastructure, and data from cybersecurity risks. Our CISO has 30 years of experience in cybersecurity, IT networking and electronic security, and holds a degree in Information Systems (Cybersecurity concentration). He has specific experience in the following cybersecurity areas: global IT security policy & governance; information risk management; cybersecurity strategic planning and integration; enterprise infrastructure cybersecurity engineering; incident response and remediation; global supply chain cyber risk management; cybersecurity awareness training; M&A cyber risk management; Cloud security; identity management; disaster recovery; and cybersecurity damage assessment.
Our cybersecurity incident response framework is governed by a corporate Cybersecurity Incident Response Plan (the “IRP”), which sets out our approach for categorizing, responding to, and mitigating cybersecurity incidents. The IRP provides definitions of key terms, stakeholder roles and responsibilities, and a response governance and escalation process.
We have an incident response team comprised of our CISO, executive leaders, management, and internal and external legal counsel, whose primary responsibilities include:
•evaluating and validating the impact of an incident;
•approving certain incident response countermeasures and remediation actions;
•escalating incidents and response countermeasures for approval; and
•acting in an advisory capacity in support of cybersecurity incident remediation, as appropriate.
We also have an executive cybersecurity and information technology steering committee comprised of our Chief Executive Officer, CIO, and other members of our executive leadership team, whose primary responsibilities include:
•approving containment and remediation procedures for escalated cyber incidents;
•activating, when appropriate, a crisis management team response; and
27
•approving certain incident response measures.
We maintain a Crisis Management Plan that addresses our preparation for, management, recovery from, and ultimate resumption of business after a crisis, including emergency response, continued recovery, and business resumption activities such as information systems recovery, when a cybersecurity incident may potentially have a significant impact on our business strategy, results of operations, or financial condition.
As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, as discussed under "Item 1A. Risk Factors," specifically the risks titled "We could be negatively impacted by security threats, including cyber security threats, and related disruptions" and "Our earnings and profitability depend, in part, upon subcontractor performance and raw material and component availability and pricing," the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well our controls are designed or implemented, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.