Intuitive Machines, Inc. 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

Intuitive Machines, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 17:09:31 EDT.

Filings

10-K filed on 2024-03-25

Intuitive Machines, Inc. filed an 10-K at 2024-03-25 17:09:31 EDT
Accession Number: 0001844452-24-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We believe cybersecurity is critical to advancing the Company s strategy and the growth of our business. We manufacture and operate highly sophisticated spaceflight systems that depend on complex technology and face a multitude of cybersecurity threats. Threat actors (such as ransomware groups) are becoming increasingly sophisticated and using tools and techniques that are designed to circumvent security controls, to evade detection and to remove or obfuscate forensic 29 Table of Contents evidence. Our information technology systems and networks may be damaged, disrupted, or compromised by malicious events, such as cyberattacks (including computer viruses, ransomware, and other malicious and destructive code, phishing attacks, and denial of service attacks), physical or electronic security breaches, natural disasters, fire, power loss, telecommunications failures, personnel misconduct, and human error. Such attacks or security breaches may be perpetrated by internal bad actors, such as employees or contractors, or by third parties. Furthermore, because the techniques used to obtain unauthorized access or sabotage systems change frequently and generally are not identified until after they are launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We also work cooperatively with our suppliers, subcontractors, venture partners and other parties. Failures and disruptions or compromises to our or our third parties systems may cause targeted cyberattacks or similar events or incidents to impact our business and operations. While we have built operational processes to help ensure the integrity of our design, manufacture, performance and servicing of our systems, there can be no assurance that we will not experience operational or process failures and other problems due to cyber incidents. Intuitive Machines uses several methods for controlling cybersecurity risks/threats. We use next generation firewall hardware to identify threats and malware and block those in transit before they reach our networks. We use software that identifies malware/viruses and blocks those before execution. We also implement software tools that create weekly reports of vulnerabilities for the Information Technology ( IT ) organization to review and action. Additionally, we have systems that collect logs and events from various elements within the networks including firewalls, servers, network hardware, and user equipment and displays all these events in one place for forensic analysis and tracking. If any security incidents do occur, they are tracked within our incident response system through to closure. We also engage with third party consultants to assess cyber risk to both our mission operations network and our business operations network. We have not experienced any cybersecurity incidents that have had a material impact on our business strategy, results of operations or financial condition. Our costs to adequately counter the risk of cyber-attacks and to comply with contractual and/or regulatory compliance requirements may increase significantly in the future. If there is a security vulnerability, error, or other bug in one of ours or our critical third-party systems or if there is a security exploit targeting them, we could face increased costs, claims, liability, reduced revenue, and harm to our reputation or competitive position. Governance The Board oversees management s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives, senior leadership regularly briefs the Board of Directors on our cybersecurity and information security posture and the Board of Directors is apprised of cybersecurity threats. Our information technology organization, led by our VP of Production & Operations, and our Information Technology Director are responsible for our overall information security strategy, policy and cyber threat detection and response. The current Information Technology Director has 27 years of IT industry experience in operations and cybersecurity planning and implementations for organizations internal to NASA, Jacobs Engineering, and Lockheed Martin. The Information Technology team includes full-time cybersecurity professionals that work routinely with third party security firms along with government and civilian agencies for malware remediation, threat intelligence sharing, and cyber risk analysis exercises. These partnerships provide 24/7 monitoring and remediation, and the shared intelligence flows into regular updates for our evolving security strategies. Our IT operations team has a combined experience of over 50 years combating cyber threats at all levels including military, government, civilian agencies, and corporate enterprise. The full Board retains oversight of cybersecurity because of its importance to the Company. In the event of an incident, we intend to follow our detailed incident response playbook, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate. Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management process. We have implemented cybersecurity policies and frameworks based on industry and governmental standards. As a government contractor, we must comply with extensive regulations, including requirements imposed by International Standards such as ISO/IEC 20000-1:2018 Information Technology Service Management and ISO/IEC 27001:2013 Information Technology Security Techniques, National Institute of Standards and Technology (NIST) Special Publication (SP) 800 Series requirements and controls, Cybersecurity and Infrastructure Security Agency (CISA) guidance, applicable Federal Information Processing Standards (FIPS) and Federal Acquisition Regulations guidance, and are continuing progress towards full implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 standards in 2025. 30 Table of Contents

Company Information