DELTA AIR LINES, INC. 10-K Cybersecurity GRC - 2026-02-10

Page last updated on February 11, 2026

DELTA AIR LINES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-10 17:48:03 EST.

Company Summary

Delta Air Lines is one of the major airlines of the United States and a legacy carrier headquartered in Atlanta, Georgia. It is the United States' oldest operating airline and the seventh-oldest operating worldwide. (Source: Wikipedia)

Filings

10-K filed on 2026-02-10

DELTA AIR LINES, INC. filed a 10-K at 2026-02-10 17:48:03 EST
Accession Number: 0000027904-26-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We are committed to safeguarding our information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Our program to protect our information assets and the management of risks to those assets supports the confidentiality, integrity, and availability of the information necessary to our long-term business success. Risk Management & Strategy Our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our Enterprise Risk Management ("ERM") framework. Our information security and ERM teams coordinate to regularly review and assess these risks using a wide range of tools and services. Our cybersecurity program leverages components from several industry frameworks and generally recognized best practices, including International Organization for Standardization 27001 and National Institute of Standards and Technology ("NIST") standards, such as the NIST Cybersecurity Framework, which emphasizes identification, protection, detection, response and recovery. We regularly assess our information security program capabilities and tools to improve reliability, enhance capabilities and scan our environment for vulnerabilities and weaknesses. Our information technology teams are trained to remediate vulnerabilities identified within established timeframes and our information security team reports to management on a weekly basis regarding the security risk posture of our information technology assets. We have established a dedicated Information Technology Risk team tasked with the goal of ensuring that risk remediation activities are carried out consistently and that risk remediation controls are operating as intended. Enterprise-wide training is a vital component to reducing risk and protecting customers, employees and company information. We expect all Delta employees and third-party contractors to adhere to information security and privacy policies as they handle corporate and customer information in their daily jobs. As a result, we require all employees and contractors with access to Delta's information to complete annual training, which is updated as new technology, security and privacy issues emerge. All new employees are required to complete training within 30 days of hire. We also conduct, at least annually, other training and employee education activities, including through awareness programs and campaigns. We engage assessors, consultants, auditors and other third parties to perform assessments of our cybersecurity program with the intent to identify areas for continued improvement, as well as to ensure ongoing compliance with regulatory requirements to which we are subject. In connection with certain regulatory requirements, we are required to engage third parties to assess our cybersecurity controls. Our cybersecurity program is subject to TSA requirements applicable to certain TSA-regulated airport and aircraft operators, including the requirement to develop a TSA-approved implementation plan describing measures we are taking to improve cybersecurity and to assess the effectiveness of those measures on an ongoing basis. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our data or our systems. Third-party risks are included within our risk assessment of vendors, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits. We regularly test our incident response processes through table-top exercises to ensure they continue to be effective as our business and the cybersecurity threat landscape evolve. Our incident response processes are designed to guide the actions we take to prepare for, detect, respond to and recover from cybersecurity incidents. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. We describe whether and how risks related to cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference in this Item 1C. Delta Air Lines, Inc. | 2025 Form 10-K 26 Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee's charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer at least twice per year with additional updates as requested by the Chair of the Audit Committee. In 2025, the Audit Committee received updates on information security matters at all of its regular meetings. In addition to information provided in these meetings, all members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer , who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Delta Risk Council and Delta Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2025 Form 10-K 27
Item 1C. Delta Air Lines, Inc. | 2025 Form 10-K 26 Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee's charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer at least twice per year with additional updates as requested by the Chair of the Audit Committee. In 2025, the Audit Committee received updates on information security matters at all of its regular meetings. In addition to information provided in these meetings, all members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer , who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Delta Risk Council and Delta Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2025 Form 10-K 27 Item 2. Properties
Item 1C. Cybersecurity Governance Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee's charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee as part of its review of our ERM framework. The Audit Committee receives updates on cybersecurity risks and the security and operations of our information technology systems from our Chief Information Officer and our Chief Information Security Officer at least twice per year with additional updates as requested by the Chair of the Audit Committee. In 2025, the Audit Committee received updates on information security matters at all of its regular meetings. In addition to information provided in these meetings, all members of our Board also have access to internal and external education on cybersecurity risks. The Board also benefits from the expertise of one of our members who has significant experience in management of cybersecurity companies. Our information security team is led by our Senior Vice President & Chief Information Security Officer , who reports directly to our Executive Vice President - Chief Information Officer. Leadership of the information security team has extensive dedicated cybersecurity experience. Additionally, the collective leadership team holds 21 certifications in cybersecurity and related fields, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. Our Chief Information Security Officer and other members of our cybersecurity leadership team regularly participate in threat intelligence briefings provided through various government and industry entities. Both our Chief Information Officer and our Chief Information Security Officer are members of the Delta Risk Council, which is the management group that oversees all areas of our business risk. Cybersecurity threat risks are a regular subject addressed by this group. In addition, our Chief Information Officer is a member of the Delta Leadership Committee and provides updates to this group as needed about cybersecurity matters. Our cybersecurity incident response plan includes processes for communication about cybersecurity incidents to appropriate levels of management, including to the Delta Risk Council and Delta Leadership Committee, as well as the Audit Committee and the Board, as merited. Delta Air Lines, Inc. | 2025 Form 10-K 27 Item 2. Properties ITEM 2. PROPERTIES Flight Equipment Our operating aircraft fleet, purchase commitments and options at December 31, 2025 are summarized in the following table. Mainline aircraft information by fleet type Current Fleet (1) Commitments Fleet Type Owned Finance Lease Operating Lease Total Average Age (Years) Purchase Options A220-100 45 - - 45 6.0 - - A220-300 36 - - 36 2.7 64 - A319-100 57 - - 57 23.8 - - A320-200 46 - - 46 29.0 - - A321-200 77 8 42 127 7.0 - - A321-200neo 87 - - 87 2.0 68 70 A330-200 11 - - 11 20.8 - - A330-300 28 - 3 31 16.9 - - A330-900neo 32 2 5 39 3.0 - 10 A350-900 29 - 11 40 5.3 4 10 A350-1000 - - - - - 20 - B-717-200 80 - - 80 24.3 - - B-737-800 73 4 - 77 24.3 - - B-737-900ER 119 6 38 163 10.0 - - B-737-10 - - - - - 100 30 B-757-200 76 - - 76 27.1 - - B-757-300 16 - - 16 22.9 - - B-767-300ER 37 - - 37 29.0 - - B-767-400ER 21 - - 21 25.0 - - Total 870 20 99 989 14.8 256 120 (1) Excludes certain aircraft we own or lease that are operated by regional carriers on our behalf shown in the table below. The following table summarizes the aircraft operated by regional carriers on our behalf at December 31, 2025. Regional aircraft information by fleet type and carrier Fleet Type (1) Carrier CRJ-700 CRJ-900 Embraer 170 Embraer 175 Total Endeavor Air, Inc. (2) 19 125 - - 144 SkyWest Airlines, Inc. 5 32 - 87 124 Republic Airways, Inc. - - 11 46 57 Total 24 157 11 133 325 (1) We own 202 and have operating leases for three of these regional aircraft. The remainder are owned or leased by SkyWest Airlines, Inc. or Republic Airways, Inc. (2) Endeavor Air, Inc. is a wholly owned subsidiary of Delta. Delta Air Lines, Inc. | 2025 Form 10-K 28

Company Information