Gogo Inc. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

Gogo Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:01:14 EST.

Filings

10-K filed on 2026-02-27

Gogo Inc. filed a 10-K at 2026-02-27 16:01:14 EST
Accession Number: 0001193125-26-082487

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We prioritize the management of cybersecurity risk and the protection of information across our enterprise by embedding data protection and cybersecurity risk management in our operations. Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes and are designed to protect the confidentiality, integrity, and availability of our information systems, safeguard our intellectual property and sensitive data, and ensure the resilience of our services . As a foundation of this approach, we have implemented a layered governance structure to help assess, identify, manage and report cybersecurity risks. Our cybersecurity program leverages the NIST Framework, which outlines the core components and responsibilities necessary to sustain a healthy and well-balanced cybersecurity program. To protect our network and information systems from cybersecurity threats, we use various security tools and policies that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools and a unified Security Information and Event Management ("SIEM") platform, which aggregates and analyzes log data from across our entire environment. We have a number of policies and procedures supporting the cybersecurity program, including a robust enterprise cybersecurity incident response plan, which is activated in the event of a cybersecurity incident. The incident response plan is a detailed playbook that specifies how Gogo classifies, responds to, and recovers from cybersecurity incidents and includes notification procedures that vary depending on the significance of the incident. When warranted by the severity of the incident, the Board, the Audit Committee, the Chief Executive Officer and other senior executives are part of the notification chain. We conduct regular reviews and tests of our cybersecurity program, which includes tabletop exercises, penetration and vulnerability testing, simulations, and other exercises, as well as leverage audits by our internal audit team to evaluate the effectiveness of our cybersecurity program and controls and improve our security measures and planning. We also engage external auditors to review our cybersecurity program and controls, as well as engage third parties to perform penetration testing and vulnerability scanning of our public and private assets. With respect to third-party service providers , including our Cloud Service Providers ("CSPs"), we obligate our vendors to adhere to privacy and cybersecurity measures through various contractual provisions to the extent possible, and we perform risk assessments of vendors as appropriate from time to time, which includes a vendor's ability to protect data from unauthorized access, and ongoing monitoring to ensure our vendors adhere to our security standards. We define and manage a shared responsibility model with our CSPs to ensure there are no gaps in security coverage and review their System and Organization Controls ("SOC") 2 reports as part of our due diligence process. We face ongoing risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See " Item 1A . Risk Factors - We periodically are and could in the future be adversely affected if we or our third party suppliers or service providers suffer service interruptions or delays, technology failures, damage to equipment or system disruptions or failures arising from, among other things, force majeure events, cybersecurity incidents or other malicious activities. " We have insurance designed to cover certain expenses relating to cybersecurity incidents; however, damage and claims arising from a cybersecurity incident may exceed the amount of any insurance available. While we have experienced cybersecurity incidents, to date, we do not believe that we experienced a material cybersecurity incident during the fiscal year ended December 31, 2025. The sophistication of cybersecurity threats, including through the use of AI, continues to increase, and the controls and preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may be insufficient. In addition, new technology that could result in greater operational efficiency such as our contemplated use of AI may further expose our computer systems to the risk of cybersecurity incidents. Governance Our cybersecurity governance model, aligned with the NIST Cybersecurity Framework 2.0, provides for robust oversight from both the Board of Directors and senior management, ensuring that cybersecurity risk is managed as a critical component of our enterprise risk. As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, which involves Board and Audit Committee oversight, senior and department executive leadership focus and commitment, and employee training. Our Audit Committee, comprised entirely of independent directors from our Board, oversees the 40 Board's responsibilities relating to the operational (including information technology ("IT") risks, business continuity and data security) risk affairs of the Company. Our Audit Committee is informed of such risks through annual assessments, quarterly reporting and regular updates from members of the Company's executive leadership team, cybersecurity and data privacy leadership team, as well as the Internal Audit team. The Audit Committee reports to the Board of Directors regarding its activities, including those related to cybersecurity, and may request the CISO to brief the Board of Directors on the status of cybersecurity and risk management programs, as well as relevant cyber-incidents and threats. Our Senior Vice President, Chief Information Security Officer ("CISO"), leads our cybersecurity team and has over 16 years of experience establishing and leading comprehensive cybersecurity programs. Our CISO retired from the United States Navy, where he served in various roles with increasing responsibility, most recently serving as the Director of Operations - Navy Cyber Defense Operations Command. In that role, our CISO led a team of 450 personnel overseeing networks with more than 800,000 endpoints and more than 200 IT, Cloud, Legacy, and Operational Technology networks globally. We believe that our CISO's technical expertise and background assists us with the navigation of the extensive regulatory framework to which we are subject as a federal contractor, including the achievement of the Cybersecurity Maturity Model Certification ("CMMC") program. We believe we are well-positioned to meet the requirements of CMMC and are preparing for certification. We also have management level committees and a cybersecurity incident team who support our processes to assess and manage cybersecurity risk as follows: - The Cybersecurity Cross Functional Team (the "Cybersecurity CFT"), led by our CISO, brings together IT, legal, compliance and other function heads. The Cybersecurity CFT meets at least quarterly (or more frequently as needed) and provides a forum for these cross-functional members of management to: consider emerging technologies, such as artificial intelligence and emerging cybersecurity risks; review cybersecurity and privacy regulations; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise. - The Gogo Executive Cybersecurity Committee (the "GECC") is comprised of executive leadership and members of the cybersecurity, operations, risk, legal, and internal audit teams. The GECC liaises with the Cybersecurity CFT and provides oversight of all aspects of Gogo's cybersecurity program and, at regular intervals through the year, evaluates key cybersecurity metrics as well as planned and ongoing initiatives to reduce cybersecurity risks. - The Incident Response Management Team (the "IRMT"), which includes senior executives and members of our cybersecurity leadership team, was established to support our incident response plan and reports into the GECC. Members of the IRMT are alerted as appropriate to cybersecurity incidents, natural disasters and business outages. The IRMT annually assesses its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss the event and response options. The IRMT also engages with the Company's Board and the Audit Committee depending on the severity of the cybersecurity incident. The output of each of the foregoing committees are collected and analyzed on a regular basis and our CISO briefs the Audit Committee , through quarterly updates as well as on an ad hoc basis between regular updates to the extent needed. At the employee level, we maintain an experienced IT team tasked with implementing our privacy and cybersecurity program and supporting our cybersecurity leader in carrying out reporting, security and mitigation functions. We continuously seek to promote awareness of cybersecurity risk through communication and education of our employee population, and have a mandatory training program which covers privacy and cybersecurity (including phishing tests) and records and information management.

Company Information