BOEING CO - (BA)
10-K Filing Date: January 31, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, suppliers, and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, other industry-recognized standards, and contractual requirements, as applicable. We also leverage government partnerships, industry and government associations, third-party benchmarking, the results from regular internal and third-party audits, threat intelligence feeds, and other similar resources to inform our cybersecurity processes and allocate resources.
We maintain security programs that include physical, administrative and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent and timely and effectively respond to cybersecurity threats or incidents. Through our cybersecurity risk management process, we continuously monitor cybersecurity vulnerabilities and potential attack vectors to company systems as well as our aerospace products and services, and we evaluate the potential operational and financial
17
effects of any threat and of cybersecurity countermeasures made to defend against such threats. We continue to integrate our cyber practice into our Enterprise Risk Management program and our Compliance Risk Management program, both of which are overseen by our Board of Directors and provide central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. Risks from cybersecurity threats to our products and services are also overseen by our Board of Directors. In addition, we periodically engage third-party consultants to assist us in assessing, enhancing, implementing, and monitoring our cybersecurity risk management programs and responding to any incidents.
As part of our cybersecurity risk management process, we conduct “tabletop” exercises during which we simulate cybersecurity incidents to ensure that we are prepared to respond to such an incident and to highlight any areas for potential improvement in our cyber incident preparedness. These exercises are conducted at both the technical level and senior management level, which has included participation by a member of our Board of Directors. In addition, all employees are required to pass a mandatory cybersecurity training course on an annual basis and receive monthly phishing simulations to provide “experiential learning” on how to recognize phishing attempts.
We have established a cybersecurity supply chain risk management program, which is a cross-functional program that forms part of our Enterprise Risk Management program and is supported by our security, compliance, and supply chain organizations. Through this evolving program, we assess the risks from cybersecurity threats that impact select suppliers and third-party service providers with whom we share personal identifying and confidential information. We continue to evolve our oversight processes to mature how we identify and manage cybersecurity risks associated with the products or services we procure from such suppliers. We generally require our suppliers to adopt security-control principles based on industry-recognized standards.
We have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not materially affected our business strategy, results of operations or financial condition, and although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. See “Risks Related to Cybersecurity and Business Disruptions” in “Risk Factors” on page 14 of this Form 10-K.
Governance
Our Board of Directors has overall responsibility for risk oversight, with its committees assisting the Board in performing this function based on their respective areas of expertise. Our Board of Directors has delegated oversight of risks related to cybersecurity to two Board committees, the Audit Committee and the Aerospace Safety Committee, and each committee reports on its activities and findings to the full Board after each meeting. The Audit Committee is charged with reviewing our cybersecurity processes for assessing key strategic, operational, and compliance risks. Our Chief Information Officer and Senior Vice President, Information Technology & Data Analytics (CIO) and our Chief Security Officer (CSO) provide presentations to the Audit Committee on cybersecurity risks at each of its bimonthly meetings. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. In addition, the Audit Committee has designated one of its members with expertise in cyber risk management to meet regularly with management and review our cybersecurity strategy and key initiatives and progress toward our objectives. In the event of a potentially material cybersecurity event, the Chair of the Audit Committee is notified and briefed, and meetings of the Audit Committee and/or full Board of Directors would be held, as appropriate. The Aerospace Safety Committee provides oversight of the risks from cybersecurity threats related to our aerospace products and services. The Aerospace Safety Committee receives regular updates and reports from senior management, including the Chief
18
Engineer, the Chief Aerospace Safety Officer, and the Chief Product Security Engineer, who provide briefings on significant cybersecurity threats or incidents that may pose a risk to the safe operation of our aerospace products. Both committees brief the full Board on cybersecurity matters discussed during committee meetings, and the CIO provides annual briefings to the Board on information technology and data analytics related matters, including cybersecurity.
At the management level, we have established a Global Security Governance Council (the Council) to further strengthen our cybersecurity risk management activities across the Company, including the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Council is responsible for developing and coordinating enterprise cybersecurity policy and strategy, and for providing guidance to key management and oversight bodies.
Richard Puckett, as our CSO, serves as the chair of the Council. He is responsible for overseeing a unified security program that provides cybersecurity, fire and protection operations, physical security, insider threat, and classified security. Mr. Puckett has nearly 30 years of experience in the cybersecurity industry, including, prior to joining Boeing in 2022, as Chief Information Security Officer of SAP SE and Thomson Reuters Corporation, Vice President, Product and Commercial Security of General Electric, Inc., and Senior Security Architect at Cisco Systems, Inc. He reports directly to the CIO and meets regularly with other members of senior management and the Audit Committee.
The Council also includes, among other senior executives, our Chief Engineer, Chief Information Officer, Chief Aerospace Safety Officer and Chief Product Security Engineer, who each have several decades of business and senior leadership experience managing risks in their respective fields, collectively covering all aspects of cybersecurity, data and analytics, product security engineering, enterprise engineering, safety and the technical integrity of our products and services.
The Council meets monthly and updates key members of the Company’s Executive Council on progress towards specific cybersecurity objectives. A strong partnership exists between Information Technology, Enterprise Security, Corporate Audit, and Legal so that identified issues are addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required.