Sun Country Airlines Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

Sun Country Airlines Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 13:40:34 EST.

Filings

10-K filed on 2024-02-14

Sun Country Airlines Holdings, Inc. filed an 10-K at 2024-02-14 13:40:34 EST
Accession Number: 0001743907-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY As a regular part of our ordinary business operations, we collect and store sensitive data, including information necessary for our operations, information from our passengers, customers (including the DoD), employees and our business partners. The secure operation of our networks and systems, and those of our business partners and third-party service providers, on which this type of information is collected, processed, maintained and stored is critical to our business operations and strategy. We recognize these networks and systems may be subject to increasing and continually evolving cybersecurity risks. Risk Management and Strategy A significant cybersecurity incident to us or one of our third-party partners could result in a range of potentially material negative consequences for us, which could include lost revenue; unauthorized access to, disclosure, modification, misuse, loss or destruction of Company systems or data; theft of sensitive, regulated or confidential data, such as personal identifying information or our intellectual property; the loss of functionality of critical systems through ransomware, denial of service or other attacks; and business delays, service or system disruptions, damage to equipment and injury to persons or property. The costs and operational consequences of defending against, preparing for, responding to and remediating an incident may be substantial. Further, we could be exposed to litigation, regulatory enforcement or other legal action as a result of an incident, carrying the potential for damages, fees, fines, sanctions or other penalties, as well as injunctive relief requiring costly compliance measures. Due to the significant competition within the airline industry, a cybersecurity incident could also impact our brand, harm our reputation and adversely impact our relationship with our customers, employees and stockholders. For the reasons mentioned above, the secure operation of our networks and systems, and those of our business partners and third-party service providers, on which this type of information is collected, processed, maintained and stored is critical to our business operations and strategy. Cybersecurity risk is a focus of our control environment and included within our entity-level controls, process level controls, and general information technology controls. We regularly review and update our procedures, processes and technologies to prevent and protect against unauthorized access to, and to ensure the confidentiality, integrity, and availability of, our networks and systems. We have programs in place to identify and protect against cybersecurity weaknesses in our networks and systems, detect, contain, evaluate and respond to data security incidents and provide employee awareness training regarding phishing, malware and other cybersecurity risks. Many of our policies align with the National Institute of Standards and Technology Cybersecurity Framework and we continually evaluate and enhance our cybersecurity procedures. Activities include mandatory online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, the evaluation and retention of cybersecurity insurance, periodic assessments of third-party service providers to assess cyber preparedness of key vendors, and running simulated cybersecurity drills, including vulnerability scanning, penetration testing and disaster recovery 56 Table of Contents exercises, throughout the organization. These cybersecurity drills are performed both in-house and by third-party service providers. We use automated tools that monitor, detect, and prevent cybersecurity risks and have a third-party security operations center to alert us to any potential cybersecurity threats. We have effected comprehensive incident response plans that outline the appropriate communication flow and response for certain categories of potential cybersecurity incidents. We rely on third-party vendors to provide software solutions that are critical to our operations. We assess cybersecurity risk during onboarding for material vendors that receive sensitive information or provide services that are critical to our business, and regularly audit these providers after onboarding. We review vendors that are material to our ordinary business operations on an annual basis and monitor these vendors for compliance with cybersecurity best practices. To assist in the review of our cybersecurity risks, as well as the risks associated with our material vendors, we engage third-party cybersecurity professionals. For example, we engage vendors to assist in vetting the cybersecurity of our material vendors and to facilitate incident response tabletop exercises. Governance Role of the Board of Directors It is the duty of the Board of Directors to serve as a prudent fiduciary for shareholders and to oversee the management of our business. Our Board of Directors is responsible for establishing accountability for our executive officers and ensuring reasonable internal controls are in place, including processes and procedures for detecting, containing, evaluating and responding to cybersecurity incidents. The Board of Directors is informed of the cybersecurity threats potentially facing the Company and the Company s prevention activities on a quarterly basis, or more frequently if needed, through discussions and presentations with our management and individuals directly responsible for our cybersecurity. These presentations include, as applicable, reports on the overall status of the Company s cybersecurity program, discussion of material cybersecurity matters, including the results of penetration or other security testing, security incidents, and violations of the Company s security policy, and recommended changes to the Company s cybersecurity program. The Board of Directors is actively engaged in the Company s ongoing efforts to increase incident response preparedness. Role of Management Our management is responsible for establishing and maintaining adequate cybersecurity over the secure operation of our networks and systems, and for evaluating and monitoring our cybersecurity risks associated with our business partners and third-party service providers. The Company s CIO and CISO are responsible for managing these risks. These individuals have extensive experience in technology and information security within the airline industry. The CIO and CISO are responsible for assessing the Company s cybersecurity risks and, in conjunction with Legal where appropriate, establishing and maintaining a cybersecurity program to manage such risks. For example, the CIO and CISO oversee cybersecurity training for our employees and establish standards used to evaluate and monitor the process and control requirements we expect of our third-party partners as part of the Company s overall cybersecurity program. The CIO and CISO lead a team that includes third-party cybersecurity professionals to administer the Company s cybersecurity program. The CIO and CISO are responsible for the reporting of cybersecurity matters to the Board of Directors.

Company Information