Booz Allen Hamilton Holding Corp 10-K Cybersecurity GRC - 2025-05-23

Page last updated on May 26, 2025

Booz Allen Hamilton Holding Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-23 06:49:34 EDT.

Filings

10-K filed on 2025-05-23

Booz Allen Hamilton Holding Corp filed a 10-K at 2025-05-23 06:49:34 EDT
Accession Number: 0001443646-25-000076

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity. As one of the world’s largest cybersecurity solution providers, we routinely defend against advanced persistent threats both internally and for our customers. Our cybersecurity risk management program is an integral part of our overall Enterprise Risk Management (“ERM”) program, and is designed to assess, identify, manage and mitigate internal and external cybersecurity risks, threats and incidents. Risk Management and Strategy Cybersecurity oversight is embedded in our ERM Steering Committee, chaired by the Chief Operating Officer and including senior executives such as the Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”). This committee is responsible for: - Identifying, assessing, and managing cybersecurity risks within the broader ERM framework; - Aligning cybersecurity risk management priorities and strategies with business objectives; - Monitoring periodic internal and third-party assessments, threat simulations, and security exercises to evaluate cybersecurity defenses; and - Addressing identified vulnerabilities through mitigation efforts and risk response strategies. See “Item 1C. Cybersecurity-Governance-Management’s Responsibilities” below for additional information regarding our cybersecurity risk management program. Governance Management’s Responsibilities Our cybersecurity risk management program is led by our CISO, who is responsible for our information security strategy, policies, compliance, security architecture and engineering, security operations, and cybersecurity threat detection and response. Our CISO, a Certified Information Systems Security Professional (“CISSP”), has over 20 years of information security and program management experience and has served as the CISO for several large-scale enterprises in the U.S. government services industry, commercial organizations, and not-for-profit organizations. As a government contractor, we are required to comply with extensive regulations and standards, including but not limited to, cybersecurity regulations and standards and the requirements of the DFARS. Additionally, our cybersecurity risk management program is guided by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Our policies and implemented controls have been assessed by external organizations, including industry partners and the federal government. We work closely with our subcontractors and suppliers to identify and manage cybersecurity risks and, as appropriate, require them to comply with applicable laws and regulations. These contractual requirements include the requirement that our subcontractors implement certain security controls, and that our subcontractors self-report the status of their implementation of these controls to the U.S. government. To manage cybersecurity risk introduced from our supply chain, depending on the nature of a supplier’s work and the sensitivity of our and our customers’ information provided to the supplier, we also require suppliers to complete our security questionnaire and provide evidence of security accreditations, and we evaluate supplier compliance with security requirements using internal and third-party resources. Our CISO also leads our Cyber Fusion Center (“CFC”), whose function is, pursuant to our Cyber Incident Response Plan, to stay apprised of existing and emerging cybersecurity threats and monitor our information systems to proactively identify, protect against, and mitigate cybersecurity threats. The CFC uses intelligence collected from various sources, fused with intelligence collected from analysis and response actions, to proactively search for and address adversary activity against our information systems. The CFC possesses in-depth knowledge of network, endpoint, perimeter security systems, identity-based vulnerabilities, data protection, threat intelligence, forensics, penetration testing, a nd malware reverse engineering, as well as the functioning of specific applications or underlying information systems infrastructure. The CFC partners with a third party managed systems security provider (“MSSP”) to augment 24x7 cyber incident monitoring. The Cyber Incident Response Team (“CIRT”) is responsible for the incident response proc ess and provides direction and guidance to users of our information systems when responding to cybersecurity incidents. The CIRT also provides intrusion monitoring of networks and information systems, and performs triage and analysis of events to identify and respond to potential incidents, including potential incidents occurring on third-party systems. The CIRT categorizes anomalous cybersecurity events into discrete levels in which cybersecurity events are escalated to appropriate levels of management, as well as our Crisis Management Team, Cyber Incident Materiality Committee, Audit Committee, and Board, based on the severity of the incident. While typical cybersecurity management and incident response is provided by internal resources, we have arrangements with certain third parties whom we can engage if additional support or resources are required. Board of Directors’ Roles and Responsibilities The Board oversees the Company’s risk management processes, including those relevant to cybersecurity risks, and the Audit Committee provides focused governance of cybersecurity, ensuring that cybersecurity threats, vulnerabilities, and incident response measures are continuously assessed and managed. The Audit Committee receives regular briefings from the CISO on risks related to internal systems, third-party relationships, and emerging cybersecurity threats. The Audit Committee provides updates to the Board on significant cybersecurity risks and the Company’s mitigation strategies. Cybersecurity Threats Even with our extensive and systematic approach to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the cost related to cybersecurity threats or disruptions may not be fully insured. During the period covered by this Annual Report, we have not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or our financial condition. Future cybersecurity incidents could, however, materially affect our business strategy, results of operations, reputation, or financial condition. See Item 1A . , “Risk Factors,” for a discussion on cybersecurity risks and how they could materially affect the Company.
Item 1C. Cybersecurity-Governance-Management’s Responsibilities" below for additional information regarding our cybersecurity risk management program. Governance Management’s Responsibilities Our cybersecurity risk management program is led by our CISO, who is responsible for our information security strategy, policies, compliance, security architecture and engineering, security operations, and cybersecurity threat detection and response. Our CISO, a Certified Information Systems Security Professional (“CISSP”), has over 20 years of information security and program management experience and has served as the CISO for several large-scale enterprises in the U.S. government services industry, commercial organizations, and not-for-profit organizations. As a government contractor, we are required to comply with extensive regulations and standards, including but not limited to, cybersecurity regulations and standards and the requirements of the DFARS. Additionally, our cybersecurity risk management program is guided by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Our policies and implemented controls have been assessed by external organizations, including industry partners and the federal government. We work closely with our subcontractors and suppliers to identify and manage cybersecurity risks and, as appropriate, require them to comply with applicable laws and regulations. These contractual requirements include the requirement that our subcontractors implement certain security controls, and that our subcontractors self-report the status of their implementation of these controls to the U.S. government. To manage cybersecurity risk introduced from our supply chain, depending on the nature of a supplier’s work and the sensitivity of our and our customers’ information provided to the supplier, we also require suppliers to complete our security questionnaire and provide evidence of security accreditations, and we evaluate supplier compliance with security requirements using internal and third-party resources. Our CISO also leads our Cyber Fusion Center (“CFC”), whose function is, pursuant to our Cyber Incident Response Plan, to stay apprised of existing and emerging cybersecurity threats and monitor our information systems to proactively identify, protect against, and mitigate cybersecurity threats. The CFC uses intelligence collected from various sources, fused with intelligence collected from analysis and response actions, to proactively search for and address adversary activity against our information systems. The CFC possesses in-depth knowledge of network, endpoint, perimeter security systems, identity-based vulnerabilities, data protection, threat intelligence, forensics, penetration testing, a nd malware reverse engineering, as well as the functioning of specific applications or underlying information systems infrastructure. The CFC partners with a third party managed systems security provider (“MSSP”) to augment 24x7 cyber incident monitoring. The Cyber Incident Response Team (“CIRT”) is responsible for the incident response proc ess and provides direction and guidance to users of our information systems when responding to cybersecurity incidents. The CIRT also provides intrusion monitoring of networks and information systems, and performs triage and analysis of events to identify and respond to potential incidents, including potential incidents occurring on third-party systems. The CIRT categorizes anomalous cybersecurity events into discrete levels in which cybersecurity events are escalated to appropriate levels of management, as well as our Crisis Management Team, Cyber Incident Materiality Committee, Audit Committee, and Board, based on the severity of the incident. While typical cybersecurity management and incident response is provided by internal resources, we have arrangements with certain third parties whom we can engage if additional support or resources are required. Board of Directors’ Roles and Responsibilities The Board oversees the Company’s risk management processes, including those relevant to cybersecurity risks, and the Audit Committee provides focused governance of cybersecurity, ensuring that cybersecurity threats, vulnerabilities, and incident response measures are continuously assessed and managed. The Audit Committee receives regular briefings from the CISO on risks related to internal systems, third-party relationships, and emerging cybersecurity threats. The Audit Committee provides updates to the Board on significant cybersecurity risks and the Company’s mitigation strategies. Cybersecurity Threats Even with our extensive and systematic approach to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the cost related to cybersecurity threats or disruptions may not be fully insured. During the period covered by this Annual Report, we have not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or our financial condition. Future cybersecurity incidents could, however, materially affect our business strategy, results of operations, reputation, or financial condition. See Item 1A . , “Risk Factors,” for a discussion on cybersecurity risks and how they could materially affect the Company.

Company Information