|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Managing cybersecurity and digital risk is a significant part of the Company's overall strategy for safely operating its business. The Company has developed a risk-based cybersecurity and digital risk management strategy. This risk-based strategy is informed by guiding principles from industry standard cybersecurity and risk management frameworks—such as those published by the National Institute of Standards and Technology—and industry-recognized practices to protect the confidentiality, integrity and availability of the Company's information technology systems and data. The Company is also subject to extensive cybersecurity regulation, including but not limited to those regulations overseen by the FAA, TSA, and DOT. This risk-based framework is also integrated into the Company's Enterprise Risk Management ("ERM") process that is subject to oversight by the Board. Cybersecurity risks are one of the key risks regularly evaluated, assessed and monitored as part of the Company's overall ERM process.
As part of its risk-based strategy, the Company maintains appropriate technical and organizational measures and regularly reviews the appropriateness of those controls based on changes to the technical or regulatory environment to protect as well as minimize threats to the Company's information; the information of the Company's customers, suppliers and other third parties; the Company's information systems; the Company's business operations; and the Company's services. The Company also regularly incorporates cybersecurity awareness training into employee communications, engagement and training activities. The Company participates in various information-sharing organizations to timely share and receive threat information, thereby improving the collective defense of the aviation, retail and hospitality and other critical infrastructure sectors. The Company regularly seeks opportunities to improve its capabilities, including through cybersecurity trainings and skill-development programs for its CDR organization members.
The Company utilizes a variety of third parties, as appropriate, in connection with its cybersecurity risk management. The Company employs these third-party cybersecurity companies to add capacity or expertise when necessary. Additionally, internal audits, security maturity assessments, security attestations and certifications, security testing and post-remediation reviews of the Company's cybersecurity program are periodically conducted by independent third-party service provides to
identify areas of potential weakness and for continued improvement as well as to ensure ongoing compliance with regulatory requirements to which we are subject. In addition, the Company actively engages with intelligence agencies, law enforcement and advocacy and industry groups.
The Company is subject to cybersecurity risks related to its business partners and third-party service providers, as further detailed under the heading "Increasing privacy, data security and cybersecurity obligations or a significant data breach may adversely affect the Company's business" included as part of the risk factor disclosures in Part I, Item 1A. of this report. To assess these risks, the Company considers the impact of third-party incidents as part of its cybersecurity incident response processes. The Company also conducts evaluations of key suppliers based on risk and seeks to incorporate appropriate security standards to address the risk. In addition, the Company regularly monitors the external cybersecurity posture of select third parties through various service providers.
The Company strives to design and implement technical and organizational controls comprehensively, consistently and effectively as intended to protect the confidentiality, integrity or availability of systems and data. However, because the Company utilizes a risk-based strategy, based on professional judgment and analysis of the risks, it is possible that the Company may underappreciate or not recognize specific risks and may fail to fully implement the necessary technical and organizational controls. Moreover, even well designed and implemented security controls may not eliminate the occurrence of cybersecurity incidents.
Cybersecurity Incident Management
The CDR organization monitors the Company's information systems to prevent, detect, mitigate and remediate cybersecurity threats. The CDR organization uses a variety of prevention and detection tools and other resources to monitor cybersecurity vulnerabilities and identify potential cybersecurity incidents. When a cybersecurity incident is identified, the CDR organization's incident response team engages with the appropriate subject matter experts, the relevant management of impacted organization(s) and others to analyze, contain, eradicate, mitigate and recover from the incident as applicable. When appropriate, during the incident response process, the CISO, the CDR organization's leadership and the Company's Chief Legal Officer may be informed and consulted and if deemed necessary, incidents may be escalated for review by the Senior Leader Crisis Team, which consists of cross-functional leaders of the Company. The Company maintains a process in which a subgroup of the Company's Disclosure Council makes a recommendation regarding the materiality of certain cybersecurity incidents to the full Disclosure Council and, if determined to be material, subsequently to the Audit Committee. Additionally, the CDR organization has frequent operating rhythms to, among other things, review cybersecurity incidents and track the progress of cybersecurity initiatives.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Managing cybersecurity and digital risk is a significant part of the Company's overall strategy for safely operating its business. The Company has developed a risk-based cybersecurity and digital risk management strategy. This risk-based strategy is informed by guiding principles from industry standard cybersecurity and risk management frameworks—such as those published by the National Institute of Standards and Technology—and industry-recognized practices to protect the confidentiality, integrity and availability of the Company's information technology systems and data. The Company is also subject to extensive cybersecurity regulation, including but not limited to those regulations overseen by the FAA, TSA, and DOT. This risk-based framework is also integrated into the Company's Enterprise Risk Management ("ERM") process that is subject to oversight by the Board. Cybersecurity risks are one of the key risks regularly evaluated, assessed and monitored as part of the Company's overall ERM process.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Company considers management of cybersecurity and digital risk as essential for enabling its success. The Audit Committee (the "Audit Committee") of the Board provides oversight of the Company's risk assessment and risk management policies and strategies with respect to significant business risks, including cybersecurity and digital risk. On a regular basis, the Audit Committee reviews reports from the Company's Chief Information Security Officer ("CISO")—as well as its Chief Information Officer, Chief Risk Officer, Chief Legal Officer and Chief Compliance Officer—regarding the Company's processes for assessing, identifying and managing of cybersecurity risks, including when applicable, notable cybersecurity threats or incidents impacting the aviation sector and the Company; results of independent third-party assessments of the Company's cybersecurity program; key metrics, capabilities, resourcing and strategy regarding the Company's cybersecurity program; and updates related to cybersecurity regulatory developments. The Chair of the Audit Committee regularly reports its activities—including those related to cybersecurity risks—to the Board and, as necessary, recommends actions to the Board that the Audit Committee deems appropriate.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee (the "Audit Committee") of the Board provides oversight of the Company's risk assessment and risk management policies and strategies with respect to significant business risks, including cybersecurity and digital risk.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|On a regular basis, the Audit Committee reviews reports from the Company's Chief Information Security Officer ("CISO")—as well as its Chief Information Officer, Chief Risk Officer, Chief Legal Officer and Chief Compliance Officer—regarding the Company's processes for assessing, identifying and managing of cybersecurity risks, including when applicable, notable cybersecurity threats or incidents impacting the aviation sector and the Company; results of independent third-party assessments of the Company's cybersecurity program; key metrics, capabilities, resourcing and strategy regarding the Company's cybersecurity program; and updates related to cybersecurity regulatory developments. The Chair of the Audit Committee regularly reports its activities—including those related to cybersecurity risks—to the Board and, as necessary, recommends actions to the Board that the Audit Committee deems appropriate.
|Cybersecurity Risk Role of Management [Text Block]
|
The Company considers management of cybersecurity and digital risk as essential for enabling its success. The Audit Committee (the "Audit Committee") of the Board provides oversight of the Company's risk assessment and risk management policies and strategies with respect to significant business risks, including cybersecurity and digital risk. On a regular basis, the Audit Committee reviews reports from the Company's Chief Information Security Officer ("CISO")—as well as its Chief Information Officer, Chief Risk Officer, Chief Legal Officer and Chief Compliance Officer—regarding the Company's processes for assessing, identifying and managing of cybersecurity risks, including when applicable, notable cybersecurity threats or incidents impacting the aviation sector and the Company; results of independent third-party assessments of the Company's cybersecurity program; key metrics, capabilities, resourcing and strategy regarding the Company's cybersecurity program; and updates related to cybersecurity regulatory developments. The Chair of the Audit Committee regularly reports its activities—including those related to cybersecurity risks—to the Board and, as necessary, recommends actions to the Board that the Audit Committee deems appropriate.
The CISO leads the Company's Cybersecurity and Digital Risk ("CDR") organization, which oversees the Company's approach to prevent, detect, mitigate and remediate cybersecurity and digital risk. The Company's current CISO has extensive technology and risk management experience in critical infrastructure sectors, including aviation, and is certified as a boardroom Qualified Technology Expert by the Digital Directors Network. She has served on the U.S. President's National Infrastructure Advisory Council, examining and providing recommendations related to cross-sector critical infrastructure security and resilience. She currently serves on the board of directors of the Internet Security Alliance, is currently a member of the Cybersecurity Council at Airlines for America (and has served as its Chair) and is currently a member of the board of directors of the Aviation Information Sharing and Analysis Center (A-ISAC). The Company's CDR organization includes teams focusing on cyber defense, identity and digital trust, secure product solutions and aircraft cybersecurity operations. These teams include individuals with a variety of cybersecurity expertise, including expertise in penetration testing; application cybersecurity; product cybersecurity; cloud cybersecurity; infrastructure cybersecurity; cybersecurity engineering and architecture; identity and access management; vulnerability and asset management; cybersecurity threat intelligence; cybersecurity regulatory compliance; digital fraud; digital trust; incident response; insider threat assessment; and aircraft cybersecurity.
The Company's senior leadership—including across the Company's safety, legal, government affairs, operations, aviation security, finance, communications and digital technology organizations as well as others when appropriate—support the CDR organization and contribute to the management of cybersecurity and digital risk by attending regular cybersecurity risk reviews and participating in cybersecurity exercises.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The CISO leads the Company's Cybersecurity and Digital Risk ("CDR") organization, which oversees the Company's approach to prevent, detect, mitigate and remediate cybersecurity and digital risk.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Company's current CISO has extensive technology and risk management experience in critical infrastructure sectors, including aviation, and is certified as a boardroom Qualified Technology Expert by the Digital Directors Network. She has served on the U.S. President's National Infrastructure Advisory Council, examining and providing recommendations related to cross-sector critical infrastructure security and resilience. She currently serves on the board of directors of the Internet Security Alliance, is currently a member of the Cybersecurity Council at Airlines for America (and has served as its Chair) and is currently a member of the board of directors of the Aviation Information Sharing and Analysis Center (A-ISAC).
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|On a regular basis, the Audit Committee reviews reports from the Company's Chief Information Security Officer ("CISO")—as well as its Chief Information Officer, Chief Risk Officer, Chief Legal Officer and Chief Compliance Officer—regarding the Company's processes for assessing, identifying and managing of cybersecurity risks, including when applicable, notable cybersecurity threats or incidents impacting the aviation sector and the Company; results of independent third-party assessments of the Company's cybersecurity program; key metrics, capabilities, resourcing and strategy regarding the Company's cybersecurity program; and updates related to cybersecurity regulatory developments. The Chair of the Audit Committee regularly reports its activities—including those related to cybersecurity risks—to the Board and, as necessary, recommends actions to the Board that the Audit Committee deems appropriate.
The CISO leads the Company's Cybersecurity and Digital Risk ("CDR") organization, which oversees the Company's approach to prevent, detect, mitigate and remediate cybersecurity and digital risk. The Company's current CISO has extensive technology and risk management experience in critical infrastructure sectors, including aviation, and is certified as a boardroom Qualified Technology Expert by the Digital Directors Network. She has served on the U.S. President's National Infrastructure Advisory Council, examining and providing recommendations related to cross-sector critical infrastructure security and resilience. She currently serves on the board of directors of the Internet Security Alliance, is currently a member of the Cybersecurity Council at Airlines for America (and has served as its Chair) and is currently a member of the board of directors of the Aviation Information Sharing and Analysis Center (A-ISAC). The Company's CDR organization includes teams focusing on cyber defense, identity and digital trust, secure product solutions and aircraft cybersecurity operations. These teams include individuals with a variety of cybersecurity expertise, including expertise in penetration testing; application cybersecurity; product cybersecurity; cloud cybersecurity; infrastructure cybersecurity; cybersecurity engineering and architecture; identity and access management; vulnerability and asset management; cybersecurity threat intelligence; cybersecurity regulatory compliance; digital fraud; digital trust; incident response; insider threat assessment; and aircraft cybersecurity.
The Company's senior leadership—including across the Company's safety, legal, government affairs, operations, aviation security, finance, communications and digital technology organizations as well as others when appropriate—support the CDR organization and contribute to the management of cybersecurity and digital risk by attending regular cybersecurity risk reviews and participating in cybersecurity exercises.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef