SOUTHWEST AIRLINES CO 10-K Cybersecurity GRC - 2026-02-05

Page last updated on February 5, 2026

SOUTHWEST AIRLINES CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-05 16:07:52 EST.

Filings

10-K filed on 2026-02-05

SOUTHWEST AIRLINES CO filed a 10-K at 2026-02-05 16:07:52 EST
Accession Number: 0000092380-26-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Risk Assessment and Management The Company is increasingly dependent on the use of complex technology and systems to run its operations and support its strategic objectives. These technologies and systems include, among others, the Company's website and reservation system; mobile application; flight dispatch and tracking systems; flight simulators; check-in kiosks; aircraft maintenance, planning, and record keeping systems; telecommunications systems; flight planning and scheduling systems; crew scheduling systems; human resources systems; and financial planning, management, and accounting systems. Additionally, the Company must receive and process certain confidential or personal information related to its Customers and Employees to run its business, and the Company's operations depend upon secure collection, processing, retention, and transmission of such information. Therefore, the performance, reliability, and security of the Company's technology infrastructure and information systems are critical to the Company's operations and initiatives. The Company has an enterprise risk management ("ERM") program to identify, evaluate, and manage risks. Cybersecurity risks are evaluated alongside other critical business risks under the ERM program to align cybersecurity efforts with the Company's broader business goals and objectives. The Company believes that integrating cybersecurity risks into its ERM program fosters a proactive and holistic approach to cybersecurity, which helps safeguard the Company's operations, financial condition, and reputation in an ever-evolving threat landscape. The Company maintains a cybersecurity program that is designed to identify, protect from, detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. The National Institute of Standards and Technology Cybersecurity Framework helps the Company inform its cybersecurity agenda and prioritize its cybersecurity activities. The Company takes a risk-based, threat-informed approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect the Company's operations, finances, legal or regulatory compliance, or reputation. Once identified, cybersecurity risks and related mitigation efforts are evaluated and prioritized based on their potential impact, likelihood, velocity, and vulnerability, considering both quantitative and qualitative factors. Risk mitigation strategies are developed and implemented based on the specific nature of each cybersecurity risk or threat. These strategies include, among others, the application of cybersecurity policies and procedures, implementation of administrative, technical, and physical controls, and Employee training, education, and awareness initiatives. The Company's cybersecurity program also includes a Security Operations Center ("SOC") that conducts ongoing monitoring of networks and systems for potential signs of suspicious activity. The SOC is a centralized function that monitors security alerts to initiate triage, verification, and remediation activities. Additionally, the Company's cybersecurity program provides mechanisms for Employees to report any unusual or potentially malicious activity they observe. The Company tracks key performance indicators and cybersecurity metrics to evaluate the efficacy of its cybersecurity controls and practices. Further, the Company's cybersecurity program is periodically reviewed by its Chief Information Officer ("CIO") and Chief Information Security Officer ("CISO" and, together with the CIO, the Company's "Cybersecurity Leaders") and adjusted in an effort to maintain the program's agility and responsiveness as circumstances evolve, new cybersecurity threats emerge, and regulations change. Incident Response The Company has a dedicated cybersecurity incident response team responsible for managing and coordinating the Company's cybersecurity incident response efforts. This team collaborates closely with other internal teams as well as with external experts such as legal advisors, communication specialists, and other key stakeholders, as appropriate, in identifying, protecting from, detecting, responding to, and recovering from cybersecurity incidents. Cybersecurity incidents that meet certain thresholds are escalated to the Cybersecurity Leaders and cross-functional teams on an as-needed basis for support and guidance. Additionally, this team tracks cybersecurity incidents to help identify and analyze them. The Company maintains a cybersecurity incident response plan to prepare for and respond to cybersecurity incidents. The incident response plan includes standard processes for reporting and escalating cybersecurity incidents, as appropriate, to senior management, the Audit Committee, and the Board. Additionally, the Company conducts at least one cybersecurity tabletop exercise on an annual basis, where members of a cross-functional team engage in a simulated cybersecurity incident scenario. This preparedness exercise is intended to provide hands-on training for the participants and helps the Company assess its cybersecurity response plan and its processes and capabilities in addressing cybersecurity threats. Use of Third Parties Cybersecurity Service Providers and Third-Party Consultants . The Company engages cybersecurity consultants, assessors, and other third parties to assess and enhance its cybersecurity practices. These third parties conduct assessments, penetration testing, and vulnerability evaluations to help identify potential weaknesses and recommend improvements. Additionally, the Company leverages a number of third-party tools and technologies as part of its efforts to enhance cybersecurity functions, such as a managed security service provider to augment the Company's dedicated SOC team, an endpoint detection and response system for continuous monitoring, detection, and response capabilities, and a security information and event management solution to automate real-time threat detection, investigation, and prioritization of high-fidelity alerts. Oversight of Third-Party Service Providers . The Company also uses third-party service providers to support its operations and many of its technology initiatives. The Company evaluates third-party service providers from a cybersecurity risk perspective, which may include an assessment of that service provider's cybersecurity posture and/or a recommendation of specific mitigation activities. Following an evaluation, the Company determines and prioritizes service provider risk based on potential threat impact and likelihood, and such risk determinations drive the level of due diligence and ongoing compliance monitoring required for each service provider. Risks from Material Cybersecurity Threats As of the date of this report, the Company has not identified any cybersecurity threats that have materially affected or are reasonably likely to have a material effect on the Company's business strategy, results of operations, or financial condition. Although the Company has not experienced cybersecurity incidents that are individually, or in the aggregate, material, the Company and its service providers have experienced cyber-attacks in the past, which the Company believes have thus far been mitigated by preventative, detective, and responsive measures put in place. For a detailed discussion of the Company's cybersecurity related risks, see "Item 1A. Risk Factors-Information Technology, Cybersecurity, and Data Privacy Risks." Cybersecurity Governance Board Oversight The Board is responsible for overseeing management's assessments of major risks facing the Company and for reviewing options to mitigate such risks. The Board's oversight of major risks, including cybersecurity risks, occurs at both the full Board level and at the Board committee level through the Audit Committee. The Board . The Chief Executive Officer, the Chief Operating Officer, the Chief Financial Officer, members of senior management, and other personnel and advisors, as requested by the Board , report on the Company's financial, operating, and commercial strategies, as well as major related risks, which may include cybersecurity risks, at regularly scheduled meetings of the Board. Based on these reports, the Board may request follow-up information and presentations to address any specific concerns and recommendations. Additionally, the Audit Committee has opportunities to report regularly to the entire Board and review with the Board any major issues that arise at the committee level, which may include cybersecurity risks. The Audit Committee. The Audit Committee reviews with management the Company's technology and cybersecurity frameworks, policies, programs, opportunities, and risk profile as needed at its regularly scheduled meetings. The Company's CIO, CISO, members of the cybersecurity team, or other advisors, as requested by the Audit Committee, report periodically on the Company's technology, data protection, and cybersecurity strategies and risks. Cybersecurity topics are presented to the Audit Committee on a periodic basis and generally highlight any significant cybersecurity incidents, the cyber threat landscape, cybersecurity program enhancements, cybersecurity risks and related mitigation activities, and any other relevant cybersecurity topics. Management believes that this regular cadence of reporting helps to provide the Audit Committee with an informed understanding of the Company's dynamic cybersecurity program and threat landscape. As needed, the Audit Committee reviews with management the Company's business continuity and disaster recovery plans and capabilities and the effectiveness of the Company's escalation procedures. Based on these management reports, the Audit Committee may request follow-up information and presentations to address any specific concerns and recommendations. In addition to this regular reporting, cybersecurity risks or threats may also be escalated on an as-needed basis to the Audit Committee. Management's Role The Company has a dedicated cybersecurity organization within its technology department that focuses on current and emerging cybersecurity matters. The Company's cybersecurity function is led by the Company's CISO , who reports to the Company's CIO. The Cybersecurity Leaders are actively involved in assessing and managing cybersecurity risks. They are responsible for implementing cybersecurity policies, programs, procedures, and strategies. The responsibilities and relevant experience of each of the Cybersecurity Leaders are listed below: - The Executive Vice President and CIO provides leadership for the Company's technology department. The CIO holds an undergraduate degree from Cornell University and has served in various roles in information technology for over 20 years, including Senior Vice President, Vice President, Senior Director, Manager, and Consultant. - The CISO is responsible for leading the Company's cybersecurity strategy and department, as well as the protection of data and assets across the Company's facilities, airports, and aircraft. The CISO has served in various roles in cybersecurity for over 19 years. The CISO earned a Bachelor of Business Administration in Management Information Systems from The University of Oklahoma and holds a Certified Information Systems Security Professional certification. The CISO also participates in the Aviation Information Sharing and Analysis Center Board and is the Vice Chair of the Cybersecurity Council at Airlines for America. The Company's cybersecurity department is comprised of teams that engage in a range of cybersecurity activities such as threat intelligence, incident response, security operations, vulnerability management, risk and compliance and security engineering. These teams conduct vulnerability management and penetration testing to identify, classify, prioritize, remediate, and mitigate vulnerabilities. Leaders from each team regularly meet with the Cybersecurity Leaders to provide visibility of relevant issues and seek alignment with strategy. As noted above under "Incident Response," the Company's cybersecurity incident response plan includes standard processes for reporting and escalating cybersecurity incidents, as appropriate, to senior management, the Audit Committee, and the Board. Cybersecurity incidents that meet certain thresholds are escalated to the Cybersecurity Leaders and cross-functional teams on an as-needed basis for support and guidance. The Company's incident response team also coordinates, as needed, with external legal advisors, communication specialists, and other key stakeholders.

Company Information