Frontier Group Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

Frontier Group Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:07:34 EST.

Filings

10-K filed on 2024-02-20

Frontier Group Holdings, Inc. filed an 10-K at 2024-02-20 16:07:34 EST
Accession Number: 0001670076-24-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy In order to respond to the threat of security breaches and cyberattacks, we have developed and maintain a cybersecurity risk management program that is designed to protect and preserve the confidentiality, integrity and continued availability of our systems and information. Our cybersecurity risk management program also includes a cybersecurity incident response plan that provides controls and procedures for timely and accurate reporting of any material cybersecurity incidents. The maturity of our cybersecurity program is assessed annually. We use the National Institute of Standards and Technology Cybersecurity Framework ( NIST CSF ) as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. This does not imply that we meet any particular technical standards, specifications or requirements, only that we use the NIST CSF. Our cybersecurity risk management program shares common methodologies, reporting channels and governance processes that apply across our overall enterprise risk assessment to other legal, compliance, strategic, operational, and financial risk areas. 54 Our cybersecurity risk management program includes: risk assessments and rating platforms that are leveraged to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment; a security team principally responsible for managing our cybersecurity risk assessment processes and our response to cybersecurity incidents through monitoring and identification activities; the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; annual cybersecurity awareness training for employees and web and mobile developers, including responsible information security, data security and cybersecurity practices; a computer incident response team ( CIRT ) that leverage our cybersecurity incident response plan which includes procedures for responding to cybersecurity incidents, escalating notifications, and reporting requirements to regulatory bodies; and a third-party risk management process for service providers, suppliers, and vendors. We did not identify a material security breach during the year ended December 31, 2023, nor have we identified risks from any known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Cybersecurity Governance Our board of directors is responsible for risk oversight, including cybersecurity risks, which occurs at the board of directors level and through the audit committee s (the Audit Committee ) oversight of cybersecurity and other information technology risks. Additionally, we have a Cybersecurity Disclosure Committee ( CDC ), which includes representation from our Information Technology, Legal, Internal Audit, and Accounting and Reporting teams. The CDC is responsible for assessing the materiality of cybersecurity incidents based on quantitative and qualitative materiality factors, and for providing recommendations on public disclosures of cybersecurity incidents to the Audit Committee if an incident is identified to be possibly material. The CDC also provides input and consideration into internal controls surrounding cybersecurity along with reviewing cybersecurity risks, mitigation strategies, and ensuring the cybersecurity strategy is in alignment with business objectives. The Audit Committee receives reports as necessary, and no less than quarterly, from our cybersecurity management team on our cybersecurity risks and related information, including, but not limited to, analysis of events that have impacted our peers, updates on program maturity, regulatory compliance status and cybersecurity program status and updates. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Audit Committee regularly briefs our board of directors on the matters communicated to the Audit Committee by our cybersecurity management team and the CDC, and our board of directors also receives periodic briefings from our cybersecurity management team on our cybersecurity risk management program and on cybersecurity threats in order to enhance our directors literacy on cybersecurity issues. Management s Role Our cybersecurity management team, which is led by our Chief Information Officer ( CIO ) and Director of Cybersecurity, consists of members who have extensive experience in cybersecurity and is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for implementing our overall cybersecurity risk management program, including ongoing monitoring, and supervises both our internal 55 cybersecurity personnel and our retained external cybersecurity consultants. Our CIO and Director of Cybersecurity have extensive cybersecurity experience as noted below. Our Senior Vice President, CIO leads our information technology department and oversees our cybersecurity division. Our CIO holds a Bachelor of Engineering in Computer Science and Engineering from Maharshi Dayanand University and a Master of Science in Computer Science from the University of Texas at Arlington. Our CIO has served in various roles in information technology for over 20 years, including as vice president of the Canadian division of a major home improvement retailer, where he directly oversaw the cybersecurity function, and in various vice president and IT director roles at a large U.S. based retailer and aircraft operator, as well as in the energy and online ticket distribution industries. Our Director of Cybersecurity heads the division and is responsible for aspects of cybersecurity across our infrastructure, which includes cybersecurity architecture and engineering, cybersecurity operations and IT governance risk and compliance. Our Director of Cybersecurity has served in various cybersecurity roles for over 20 years at numerous organizations and consulting firms. Our Director of Cybersecurity earned a Bachelor of Business Administration in Management Information Systems (MIS) from Florida International University and a Master of Business Administration (MBA) in Management from Nova Southeastern University and also holds active cybersecurity certifications including the GIAC Certified Incident Handler (GCIH), Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP).

Company Information