BigBear.ai Holdings, Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

BigBear.ai Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 16:33:36 EST.

Filings

10-K filed on 2026-03-02

BigBear.ai Holdings, Inc. filed a 10-K at 2026-03-02 16:33:36 EST
Accession Number: 0001836981-26-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We face a broad and evolving landscape of cybersecurity threats, ranging from attacks common across most industries-such as ransomware, phishing, and denial-of-service incidents-to more advanced, persistent, and highly organized threats, including nation-state and state-sponsored actors. These sophisticated adversaries increasingly target the defense industrial base, critical infrastructure sectors, and companies expanding operations, partnerships, and supply chains across international markets. As we grow our global footprint, we are exposed to additional risks arising from cross-border data flows, varying regulatory regimes, geopolitical tensions, and heightened cyber espionage activity in certain regions. Our customers, suppliers, subcontractors, joint venture partners, and other third parties-both domestic and international-face similar cybersecurity threats. A cybersecurity incident affecting us or any of these entities, including incidents originating from or impacting our international operations, could materially and adversely affect our business, operations, financial condition, and results of operations. Our Cybersecurity program is built upon the National Institute of Standards and Technology Cybersecurity Maturity Framework (the "NIST CSF Framework"), which includes the standards outlined in both NIST 800-53, Security and Privacy Controls for Information Systems and Organizations, and NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The NIST CSF is issued by the U.S. government as a guideline to manage cybersecurity-related risk. Additionally, we also employ industry best practices and other global and local standards and regulations as we continuously evaluate our risks. We utilize independent third-parties to assess our adherence to these frameworks . Our Cybersecurity program is supervised by a dedicated Chief Information Security Officer (CISO) , who has over 17 years experience in cybersecurity and operations and holds the following certifications: Certified Information Systems Security Professional (CISSP) and ISO/IEC 42001 AI Management Systems Lead Implementor. The cybersecurity team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. A strong partnership exists between our Information Technology, Cybersecurity, Internal Audit, and Legal functions so that identified issues are addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required. We have a Governance, Risk, and Compliance (GRC) program to further strengthen our cybersecurity risk management activities across the Company, including the prevention, detection, mitigation and remediation of cybersecurity incidents. The CISO reports information about such risks to the Board of Directors. Our cybersecurity strategy is built upon the principle that cybersecurity risk is business risk and must be addressed within the context of the overall enterprise risk. Our practices include development, implementation, and improvement of policies, standards, and guidelines, which serve as the foundation of our program. We continuously monitor cybersecurity vulnerabilities and potential attack vectors and evaluate the potential operational impacts of any threat and cybersecurity risk countermeasures made to defend against such threats. We leverage government partnerships, industry and government associations, third-party benchmarking, and threat intelligence to safeguard information and ensure availability of critical data and systems. We have a robust Incident Response Plan that coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess, escalate, contain, investigate, and remediate the incident, as well as comply with potentially applicable legal obligations and mitigate brand and reputational damage. Our plan is tested annually, at a minimum via tabletop exercises. Our Cybersecurity Awareness Program engages personnel through training on how to identify potential cybersecurity risks and protect BigBear.ai's resources and information. This training is mandatory for all employees and is supplemented by enterprise testing initiatives, including periodic phishing tests. We provide specialized security training for certain employees, such as application developers. We carry cyber liability insurance to provide a level of financial protection should a data breach occur. To date, the Company has not experienced any material cybersecurity incidents and we are not aware of any cybersecurity risks that are reasonably likely to materially affect the Company. The Board of Directors, as well as the Audit Committee and Nominating and Governance Committee have oversight of risks from cybersecurity threats. Each of these bodies is informed of these risks at quarterly meetings at a minimum, and on an ad hoc basis, as necessary. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured.

Company Information