Gogo Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Gogo Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:02:17 EST.

Filings

10-K filed on 2024-02-28

Gogo Inc. filed an 10-K at 2024-02-28 16:02:17 EST
Accession Number: 0000950170-24-022040

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We prioritize the management of cybersecurity risk and the protection of information across our enterprise by embedding data protection and cybersecurity risk management in our operations. Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes. As a foundation of this approach, we have implemented a layered governance structure to help assess, identify, manage and report cybersecurity risks. Our cybersecurity program is aligned to the National Institute of Standards and Technology s Cybersecurity Framework ( NIST ), which outlines the core components and responsibilities necessary to sustain a healthy and well-balanced cybersecurity program. To protect our network and information systems from cybersecurity threats, we use various security tools and policies that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools. We have a number of policies and procedures supporting the cybersecurity program, including a comprehensive enterprise cybersecurity incident response plan which is activated in the event of a cybersecurity incident. The incident response plan is a detailed playbook that specifies how Gogo classifies, responds to, and recovers from cybersecurity incidents and includes notification procedures that vary depending on the significance of the incident. When warranted by the severity of the incident, the Board, the Audit Committee, the Chief Executive Officer and other senior executives are part of the notification chain. We conduct regular reviews and tests of our cybersecurity program, which includes tabletop exercises, penetration and vulnerability testing, simulations, and other exercises, as well as leverage audits by our internal audit team to evaluate the effectiveness of our cybersecurity program and controls and improve our security measures and planning. We also engage external auditors to review our cybersecurity program and controls, as well as engage third parties to perform penetration testing and vulnerability scanning of our public and private assets. With respect to third-party service providers, we obligate our vendors to adhere to privacy and cybersecurity measures through various contractual provisions to the extent possible, and we perform risk assessments of vendors as appropriate from time to time, which includes a vendor s ability to protect data from unauthorized access. As described in Item 1A Risk Factors, our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks. Computer viruses, hackers, employee or vendor misconduct and other external hazards could expose our information systems and those of our vendors to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our business, including the loss of customer confidence, reputational harm, our operating results and our financial condition. While we have experienced cybersecurity incidents, to date, we do not believe that we have experienced a material cybersecurity incident during the fiscal year ended December 31, 2023. The sophistication of cybersecurity threats, including through the use of artificial intelligence, continues to increase, and the controls and preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may be insufficient. In addition, new technology that could result in greater operational efficiency such as our contemplated use of artificial intelligence may further expose our computer systems to the risk of cybersecurity incidents. Governance As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, which involves Board and Audit Committee oversight, senior and department executive leadership focus and commitment, and employee training. Our Audit Committee, comprised entirely of independent directors from our Board, oversees the Board s responsibilities relating to the operational (including information technology ( IT ) risks, business continuity and data security) risk affairs of the Company. Our Audit Committee is informed of such risks through annual assessments, quarterly reporting and regular updates from members of the Company s executive leadership team, cybersecurity and data privacy leadership team, as well as the Internal Audit team. Our Vice President, Network Engineering, Product Development and Operations serves as the leader of our cybersecurity team and has over 25 years of experience working in information technology, specializing in network security. The leader of our cybersecurity team has spent the last 17 years working for us in a variety of roles and as a result has in-depth knowledge of the Company s IT and Cyber ecosystem. We believe that his technical expertise combined with his business acumen and education, positions him well to lead Gogo s cybersecurity program. In addition to oversight of cybersecurity, our Vice President, Network 34 Engineering, Product Development and Operations oversees (i) infrastructure management, (ii) the implementation and compliance of our information security standards, and (iii) mitigation of information security related risks. We also have management level committees and a cybersecurity incident team who support our processes to assess and manage cybersecurity risk as follows: The Cybersecurity Cross Functional Team (the Cybersecurity CFT ), led by our Vice President, Network Engineering, Product Development and Operations, brings together IT, legal, compliance and other function heads. The Cybersecurity CFT provides a forum for these cross-functional members of management to: consider emerging technologies, such as artificial intelligence and emerging cybersecurity risks; review cybersecurity and privacy regulations; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise. The Gogo Executive Cybersecurity Committee (the GECC ) is comprised of executive leadership and members of the cybersecurity, operations, risk, legal, and internal audit teams. The GECC liaises with the Cybersecurity CFT and provides oversight of all aspects of Gogo s cybersecurity program and, at regular intervals through the year, evaluates key cybersecurity metrics as well as planned and ongoing initiatives to reduce cybersecurity risks. The Incident Response Management Team (the IRMT ), which includes senior executives and members of our cybersecurity leadership team, was established to support our incident response plan and reports into the GECC. Members of the IRMT are alerted as appropriate to cybersecurity incidents, natural disasters and business outages. The IRMT annually assesses its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss the event and response options. The IRMT also engages with the Company s Board and the Audit Committee depending on the severity of the cybersecurity incident. The output of each of the foregoing committees are collected and analyzed on a regular basis and our Vice President, Network Engineering, Product Development and Operations briefs the Audit Committee, through quarterly updates as well as on an ad hoc basis between regular updates to the extent needed. At the employee level, we maintain an experienced IT team tasked with implementing our privacy and cybersecurity program and supporting our cybersecurity leader in carrying out reporting, security and mitigation functions. We continuously seek to promote awareness of cybersecurity risk through communication and education of our employee population, and have a mandatory training program which covers privacy and cybersecurity (including phishing tests) and records and information management.

Company Information