Frontier Group Holdings, Inc. 10-K Cybersecurity GRC - 2026-02-18

Page last updated on February 18, 2026

Frontier Group Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 16:09:38 EST.

Filings

10-K filed on 2026-02-18

Frontier Group Holdings, Inc. filed a 10-K at 2026-02-18 16:09:38 EST
Accession Number: 0001670076-26-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy In order to respond to the threat of security breaches and cyberattacks, we have developed and maintained a cybersecurity risk management program that is designed to protect and preserve the confidentiality, integrity and continued availability of our systems and information. The maturity of our cybersecurity program is assessed annually. We have developed an internal cybersecurity risk management framework which utilizes industry frameworks and standards, such as the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). This does not imply that we meet any particular technical standards, specifications or requirements, only that we use the NIST CSF and other security standards, guidelines and best practices within our own framework to help us identify, assess and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program shares common methodologies, reporting channels and governance processes that apply across our overall enterprise risk assessment to other legal, compliance, strategic, operational and financial risk areas. Our cybersecurity risk management program includes: - risk assessments and rating platforms that are leveraged to help identify cybersecurity risks to our critical systems, information, services and our broader enterprise information technology environment; - a cybersecurity team principally responsible for managing our cybersecurity risk assessment processes and our response to cybersecurity incidents through monitoring and identification activities; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes; - annual cybersecurity awareness training for employees and web and mobile developers, including responsible information security, data security and cybersecurity practices; - a computer incident response team ("CIRT") that leverage our cybersecurity incident response plan which includes procedures for responding to cybersecurity incidents, escalating notifications and reporting requirements to regulatory bodies; and - a third-party risk management process for service providers, suppliers and vendors . We did not identify any material security breaches during the year ended December 31, 2025, nor have we identified risks from any known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, may result in a material impact to our operations, business strategy, results or financial condition. See "Risk Factors - Risk Related to Our Business - Unauthorized use, unauthorized incursions or user exploitation of our IT Systems could compromise the personally identifiable information of our passengers, prospective passengers or personnel, and other sensitive information and expose us to liability, damage our reputation and have a material adverse effect on our business, results of operations and financial condition." 56 Cybersecurity Governance Our board of directors is responsible for risk oversight, including cybersecurity risks, which occurs at the board of directors' level and through the Audit Committee's oversight of cybersecurity and other information technology risks. Additionally, we have a Cybersecurity Disclosure Committee ("CDC"), which includes representation from our Information Technology, Legal, Internal Audit and Accounting and Reporting teams. The CDC assists management with important aspects of compliance with public disclosure rules relating to cybersecurity incidents. The CDC also provides input and consideration into internal controls surrounding cybersecurity along with reviewing cybersecurity risks, mitigation strategies, and ensuring the cybersecurity strategy is in alignment with business objectives. The Audit Committee receives reports as necessary, and no less than quarterly, from our cybersecurity management team on our cybersecurity risks and related information, including, but not limited to, analysis of events that have impacted our peers, updates on program maturity, regulatory compliance status and cybersecurity program status and updates. In addition, management updates the Audit Committee, as necessary, regarding any significant cybersecurity incidents. The Audit Committee regularly briefs our board of directors on the matters communicated to the Audit Committee by our cybersecurity management team and the CDC, and our board of directors also receives periodic briefings from our cybersecurity management team on our cybersecurity risk management program and on cybersecurity threats in order to enhance our directors' literacy on cybersecurity issues. Management's Role Our cybersecurity management team is led by our Senior Vice President & Chief Information Officer ("CIO") and Senior Director of Cybersecurity, who are primarily responsible for assessing and managing our material risks from cybersecurity threats. They lead an operations team that implements and monitors our overall cybersecurity risk management program through various processes and technologies deployed in our environment, and also supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants and professional services providers. Our CIO and Senior Director of Cybersecurity have extensive cybersecurity experience as noted below: - Our Senior Vice President & CIO leads our information technology department and oversees our cybersecurity division. Our CIO holds a Bachelor's degree from the University of Texas and has served in various IT and cybersecurity roles for over 20 years across numerous organizations, including Chief Operating Officer, Chief Technology Officer, Senior Vice President of Operations and IT director roles. - Our Senior Director of Cybersecurity heads the division and is responsible for aspects of cybersecurity across our infrastructure, which includes cybersecurity architecture and engineering, cybersecurity operations and IT governance risk and compliance. Our Senior Director of Cybersecurity has served in various cybersecurity roles for over 20 years at numerous organizations, across many industries. Our Senior Director of Cybersecurity earned a Bachelor of Science in Computer Information Systems from Excelsior University and a Master of Business Administration (MBA) from Colorado State University. 57

Company Information