Leonardo DRS, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 27, 2026

Leonardo DRS, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 18:07:55 EST.

Filings

10-K filed on 2026-02-26

Leonardo DRS, Inc. filed a 10-K at 2026-02-26 18:07:55 EST
Accession Number: 0001833756-26-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As a defense contractor developing advanced technologies, we face a multitude of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly capable adversaries, including nation state actors that target the defense industrial base and other critical infrastructure sectors. Our customers, suppliers, subcontractors and joint venture partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. We recognize that cybersecurity is critical to the success of our business. We regularly contract with the U.S. government on programs classified for national security purposes. To adequately safeguard classified and controlled unclassified information, our Cybersecurity Program operates across the enterprise, strongly supported and overseen by our management and the Board. Employees are regularly trained on potential cyber threats and are expected to maintain a high level of cybersecurity awareness. Cybersecurity Risk Management and Strategy Our Cybersecurity Program As described below, we have established policies, standards, processes and practices for assessing, identifying and managing material risks from cybersecurity threats, which are integrated into our overall risk management program and governance structure. Our Cybersecurity Program includes the following 46 four core components: Cyber Operations; Cyber and Information Technology Governance and Compliance; Classified Information Systems; and Cyber/Supplier Risk Management. - The Cyber Operations team is responsible for maintaining prevention, detection, and response capabilities in a defense-in-depth infrastructure. The prevention, detection, and response capabilities leverage various tools and services. However, this does not mean that we will meet, or maintain, any particular technical standard, specification, framework, or requirement in the future. The Cyber Operations team is engaged to provide timely incident response and works to minimize adverse impacts to our operations. - The Cyber and Information Technology Governance and Compliance team works to align the Company's cyber approach to frameworks such as NIST 800-171, CMMC, and other information technology general controls. The Cyber and Information Technology Governance team develops Company policies designed to reduce, manage, and mitigate cyber risks. - The Classified Information Systems team maintains the Company's classified information systems and works closely with the Company's Industrial Security team to help the Company meet the requirements laid out by the DoW for classified systems. - The Cyber/Supplier Risk Management team collaborates with the Company's supply chain function to identify and work with critical suppliers to reduce cyber risk and minimize or eliminate collateral impacts. As a defense contractor, we must comply with extensive regulations, including requirements imposed by the Defense Federal Acquisition Regulation Supplement related to adequately safeguarding controlled unclassified information and reporting cybersecurity incidents to the DoW. We have implemented cybersecurity policies and frameworks based on industry and governmental standards to align closely with DoW requirements, instructions and guidance. We also participate and support multiple threat-sharing communities including the National Defense Information Sharing and Assessment Center, the defense industrial base Cybersecurity Program, and the National Defense Cyber Alliance. Participating in these communities allows us to collaborate with our Defense Industrial Base sector peers, government agencies, information sharing and analysis centers, and cybersecurity associations. The Cybersecurity Program staff also maintains contact with the Federal Bureau of Investigation for sharing of threat information. Third parties play a key role in support of our Cybersecurity Program. The Chief Information Security Officer coordinates third-party assessments with the Company's internal audit team. Third parties are regularly engaged to assess our security controls and incident response capabilities. We invest in tools to assess our external vulnerabilities and perform penetration testing regularly. Third-party assessment findings are logged in our internal audit system and tracked until mitigated and/or remediated. These assessments are documented and reviewed with the Company's Chief Executive Officer, Chief Operating Officer, Chief Information Officer, General Counsel, as well as the Government Security Committee ("GSC") of the Board. Both the internal audit team and the Chief Information Security Officer are responsible for reporting any material assessment findings to their respective Board committees. We also maintain third-party management processes to identify and manage the cybersecurity risks associated with third-party service providers. Governance Our Board oversees management's processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Chief Information Security Officer, regularly briefs our Board through the GSC depending on 47 the nature and severity of the business impact. The Chief Information Security Officer also provides the GSC with an update on the Company's risk management process and the risk trends related to cybersecurity at least annually. The Audit Committee maintains oversight of material risk mitigation recommendations identified by third-party assessors and receives reports as assessments occur. Cyber assessments are performed no less than annually. The full Board retains oversight of cybersecurity because of its importance and the heightened risk in the defense industry. The Cybersecurity Program is organized under our Chief Information Security Officer . The current Chief Information Security Officer has extensive information technology and program management experience and has served for over a decade in our corporate information security organization. He has a Masters in cybersecurity from Valparaiso University. Additionally, he has both Certified Information Systems Security Professional-Information Systems Security Management Professional ("CISSP-ISSMP") and Certified Information Systems Auditor ("CISA") certifications, and is also a recognized Information Technology Infrastructure Library ("ITIL") expert. The Chief Information Security Officer reports to the Executive Vice President, General Counsel & Secretary with oversight by the Board. Over the course of the last decade, our management team has gained extensive experience investing in, providing oversight of, and setting the strategy for our Cybersecurity Program. As of the date of this Annual Report, we do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, there can be no guarantee that we will not experience such an incident in the future. Such incidents, whether or not successful, could result in our incurring significant costs related to, for example, rebuilding our internal systems, writing down inventory value, implementing additional threat protection measures, providing modifications or replacements to our products and services, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring significant program delays and reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. See Part I, Item 1A, " Risk Factors-Risks Related to Our Business-We may be susceptible to a security breach, through cyber-attack, cyber-intrusion, insider threats or otherwise, and to other significant disruptions of our IT networks and related systems, or those of our customers, suppliers, vendors, subcontractors, partners, or other third parties " in this Annual Report.

Company Information