Redwire Corp 10-K Cybersecurity GRC - 2024-03-20

Page last updated on April 11, 2024

Redwire Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-20 16:19:52 EDT.

Filings

10-K filed on 2024-03-20

Redwire Corp filed an 10-K at 2024-03-20 16:19:52 EDT
Accession Number: 0001819810-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Redwire is committed to maintaining the trust and confidence of our stakeholders, which includes taking appropriate technical and organizational measures for maintaining information security and data privacy. Cybersecurity is critical to advancing our Heritage Page 37 plus Innovation strategy and enabling our digital transformation efforts. We face a multitude of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly organized adversaries, including nation state actors, that target the defense industrial base and other critical infrastructure sectors. Our customers, suppliers, subcontractors and joint venture partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. These cybersecurity threats and related risks make it imperative that we strive to be a leader in the information security field, and we expend considerable resources on cybersecurity. Our corporate information technology department, which maintains our cybersecurity function, is led by our Chief Information Officer ( CIO ), who reports to our Chief Financial Officer ( CFO ) and has direct access to the CEO regarding information technology and cybersecurity related matters. The Chief Information Security Officer ( CISO ) reports to the CIO and is responsible for our Company s information security strategy, policy, security engineering, operations and cyber threat detection and response. Our current CISO has extensive information technology, cybersecurity and project management experience, and has served in various information technology roles for over 35 years, including experience with three other public companies. The CISO manages a team of cybersecurity professionals with broad experience and expertise, and have an average of over 15 years in various roles involving information technology, including security and compliance. The corporate cybersecurity and compliance department manages and continually enhances our enterprise security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. In order to assess, identify and manage information security and cybersecurity threats, the Company has implemented a cybersecurity program that includes risk assessment and prevention measures to facilitate communication, training, awareness and incident response procedures. These are integrated into our overall enterprise risk management ( ERM ) process. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process annual risk assessment is presented to the Board. The Company maintains policies and procedures to ensure timely and appropriate notifications to relevant parties and regulators as required for cybersecurity threats and data breaches. A designated incident response team is responsible for the execution of Redwire s data breach response plan. Comprised of Company officers who serve across several functions, the incident response team includes the Company s CISO, CIO, General Counsel, CFO, Senior VP and Chief Accounting Officer, and Cybersecurity and Compliance Director. Other employees from the Company s information technology, finance, compliance and human resources functions support the incident response team, including with respect to diagnosing and mitigating cybersecurity events. Our cybersecurity policies and frameworks are based on industry and governmental standards to align closely with DoD requirements, instructions and guidance. The Company has adopted the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework and Zero Trust Framework. The NIST Cybersecurity Framework models the best practices for security and the capabilities needed to identify, protect, detect and respond to cybersecurity risks and events, while the Zero Trust Framework addresses security challenges. We evaluate our physical, electronic and administrative safeguards on a continuous basis to ensure they are effectively deployed across the business. The Company has implemented cybersecurity tools to enable a Zero Trust Network Access that includes an Internet Intrusion detection and response combined with an always-on virtual private network solution to reduce our external exposure. We utilize third-party tools to protect Redwire data and implemented the security and data protection technologies. The Company utilizes the industry leading endpoint protection tool recognized by Gartner. We employ threat protection firewalls at our facilities and perform network and vulnerability monitoring with industry leading tools. We also work with trusted and leading third parties to help us assess and strengthen our information security program. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Similar to many other companies, we experience attempts to gain unauthorized access to our systems and information on a regular basis, and a number of our employees work remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities. Despite our security measures, including employee training, our information technology and infrastructure are vulnerable to cyber-attacks, malicious intrusions, breakdowns, destruction, loss of data privacy, breaches due to employee error, Page 38 malfeasance or other disruptions and we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our operations or financial results. See Item 1A. Risk Factors for further discussion of these risks. Governance The Company s Board is responsible for the oversight of management s process for identifying and mitigating risks, including cybersecurity risks. IT leadership of the Company briefs the Board on a quarterly basis regarding information security matters, including the current cybersecurity landscape, progress on information security initiatives and accomplishments, and an information security dashboard. The Board is apprised of cybersecurity incidents concluded to have a moderate or higher business impact, even if immaterial to us. In the event of an incident, we intend to follow our incident response process, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate.

Company Information