Iridium Communications Inc. 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

Iridium Communications Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 07:06:20 EST.

Filings

10-K filed on 2024-02-15

Iridium Communications Inc. filed an 10-K at 2024-02-15 07:06:20 EST
Accession Number: 0001418819-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have implemented and maintain information security processes designed to identify, assess and manage material risks from cybersecurity threats to our information systems and critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature. Our most important information system is our satellite network and related ground systems that carry our customers traffic on our network. We also maintain critical internal computer networks, as well as third-party hosted services, communications systems, hardware and software. 38 Our management, led by our chief information officer, in conjunction with our internal management security committee and third-party service providers, helps to identify, assess and manage our cybersecurity threats and risks by monitoring and evaluating our threat environment and risk profile. These teams use a number of methods to do this, including manual and automated tools, internal and external threat assessments, and internal and external vulnerability assessments. The third parties we engage in this effort generally consist of threat intelligence service providers; cybersecurity consultants and software providers; penetration testing firms; monitoring services; forensic investigators; and other professional services firms, including legal counsel. Depending on the environment and system, we implement and maintain several technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our systems and data. These include, for example, IT policies and procedures; a network security policy; an information and asset management policy; an information security policy; incident planning, detection and response plans, including backup systems; vulnerability management, including of third parties; risk assessments; establishment of network security controls, including physical security; annual employee training; systems monitoring; and penetration testing. We integrate our assessment and management of material risks from cybersecurity threats into our overall risk management processes. For example, our management security committee generally meets on a monthly basis and evaluates material risks from cybersecurity threats against our overall business objectives. Our management generally provides reports and status updates to our board of directors on a quarterly basis, as the board monitors our overall enterprise risk. In addition to our internal resources, we also use third-party service providers, including application providers and hosting companies, distributors, and supply chain resources. We have an IT vendor management program designed to identify and manage cybersecurity risks associated with our use of these providers. As part of this program, we typically conduct risk assessments for certain IT vendors on an annual basis, including, for example, using security assessment measures such as a security questionnaire, perform a review of the vendor s own security program, audits, and vulnerability scans. Depending on the nature of the services provided, the sensitivity of the information systems and data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and may impose contractual obligations related to cybersecurity on the provider. Despite these measures, we may not be successful in preventing, mitigating or recovering from a cybersecurity incident, which could have a material adverse effect on our operations or financial results or reputation. While we maintain cybersecurity insurance, it may not be adequate to cover the costs related to cybersecurity incidents we experience. For a description of the primary risks from cybersecurity threats that may materially affect our business and how they may do so, see Part I, Item 1A. Risk Factors in this Annual Report on Form 10-K, including Our networks and those of our third-party service providers may be vulnerable to cybersecurity risks. Governance Our board of directors addresses cybersecurity risk management as part of its general oversight function. The board oversees our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by members of our management team, led by our chief information officer, who has 15 years of experience in information technology roles and supported by our director of information security, who holds several certifications in the field of information security and technology. In addition to our chief information officer, our internal management security committee includes our chief executive officer, chief financial officer, chief operations officer and chief legal officer, as well as others within our organization in information technology roles. Our chief information officer is responsible for hiring appropriate personnel and helping to integrate cybersecurity risk considerations into our overall risk management strategy and communicating key priorities to relevant personnel. Our chief information officer is also responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes and reviewing security assessments and other security-related reports. Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances. Information regarding cyber incidents is reported at the monthly meeting of the management security committee or sooner if warranted. Members of this committee work with our incident response team to help mitigate and remediate cybersecurity incidents of which they are notified. Our incident response and vulnerability management processes include reporting by management to the board of directors for certain cybersecurity incidents. 39 The board generally receives quarterly reports from our chief operations officer, chief information officer or other members of management, as well as periodic presentations from outside advisors concerning our significant cybersecurity threats and risk and the processes we have implemented to address them. The board also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation. 40

Company Information