JETBLUE AIRWAYS CORP 10-K Cybersecurity GRC - 2026-02-12

Page last updated on February 12, 2026

JETBLUE AIRWAYS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-12 16:45:16 EST.

Filings

10-K filed on 2026-02-12

JETBLUE AIRWAYS CORP filed a 10-K at 2026-02-12 16:45:16 EST
Accession Number: 0001158463-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY JetBlue places great importance on safety including cybersecurity, to protect against various threats. The Company's cybersecurity strategy prioritizes detection, analysis and response to cyber threats, effective management of cyber risks, and resilience against cyber incidents. Safety is the Company's #1 value, and the strength of our safety is supported by exercising vigilance in security, including cybersecurity. We maintain a formal cybersecurity program with guidance drawn from the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF") and other industry standards. This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our program is designed to protect the confidentiality, integrity, and availability of information technology systems and data. The state of our program maturity and regulatory compliance is regularly reviewed by third-party cybersecurity auditors and assessors . Among the key features of our cybersecurity risk management processes are the following: - policies and procedures designed to comply with data security and privacy obligations; - security technology and tools deployed in our IT environment that help us to identify and manage critical cybersecurity risks, as well as to detect and respond to incidents; - security awareness training offered to our workforce, and specialized incident response training for our cybersecurity team; - a Security Operations Center that monitors and responds to incidents; and - a third-party risk management program that includes diligence and contracting processes for business partners and service providers based on their respective function and risk profile. These processes help us manage cybersecurity risks but cannot eliminate them. JetBlue has overall responsibility for assessing and managing risks from cybersecurity threats to the Company and has an established cyber risk committee that consists of the Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, Chief Information Officer and Chief Information Security Officer ("CISO") . Our CISO has primary responsibility for the design and execution of our cybersecurity risk management program, and helps the committee stay informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, including but not limited to briefings with internal security team members, threat intelligence obtained from public and private sources, and alerts and reports produced by security tools deployed in the IT environment. Our current CISO has nearly two decades of experience in IT risk and program management, threat intelligence, and cybersecurity governance; he also has several cybersecurity industry certifications and specialized training in cybersecurity. However, experience and governance cannot eliminate the cybersecurity risks described in Item 1A. The CISO regularly briefs management's cyber risk governance committee to review and evaluate cybersecurity threats and risks to the Company. The Audit Committee, which has been delegated cybersecurity risk oversight responsibility by the Board, receives an update on cybersecurity matters at least twice annually, and the full Board receives cybersecurity updates on an annual basis. The Audit Committee Chair and the Board received additional updates, as appropriate, in connection with evolving risk, emerging threats, or significant developments. The Audit Committee also receives periodic cybersecurity reporting, including metrics and key risk indicators, through regular meeting materials and supplements. For 2025 , we reported no material cybersecurity incidents affecting the confidentiality, integrity, or availability of data or information technology systems. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We are also subject to evolving legal and regulatory requirements regarding the reporting and disclosure of cybersecurity incidents, including SEC rules, which may increase our compliance obligations. For further information, see the risk factors under Item 1A titled "Cybersecurity and Information Security Risks" and "Data Privacy and Security Compliance Risks. "

Company Information