|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Mar. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk assessment, policies and procedures
The Company is dependent on the use of technology and systems to run its operations. These technologies and systems include, among others, the Company's website and reservation system; flight planning and scheduling systems; flight dispatch and tracking systems; crew scheduling systems; baggage check-in kiosks; aircraft maintenance, planning, and record keeping systems; telecommunications systems; human resources systems; and financial planning, management, and accounting systems. The Company is committed to safeguarding these information systems and the information they hold, from unauthorized access, use, disclosure, disruption, modification or destruction.
The Company’s processes for identifying, assessing and managing material risks from cybersecurity threats (including those associated with the Company’s use of third party service providers) are incorporated into its Enterprise Risk Management ("ERM") framework, alongside other critical business risks. The teams responsible for ERM and
Information Security coordinate to review and assess these risks using a wide range of tools and services. The Company believes that integrating cybersecurity risks into its ERM framework ensures a proactive approach to cybersecurity, lessens the need for third party assistance in managing cybersecurity threats and helps safeguard the Company’s operations, financial performance and reputation.
The Company’s cybersecurity program is designed to detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. The program utilises guidance drawn from the U.S. National Institute of Standards and Technology Cybersecurity Framework to set the cybersecurity agenda and prioritise cybersecurity activities. The strategies employed by the program, among others, include:
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company’s processes for identifying, assessing and managing material risks from cybersecurity threats (including those associated with the Company’s use of third party service providers) are incorporated into its Enterprise Risk Management ("ERM") framework, alongside other critical business risks. The teams responsible for ERM and
Information Security coordinate to review and assess these risks using a wide range of tools and services. The Company believes that integrating cybersecurity risks into its ERM framework ensures a proactive approach to cybersecurity, lessens the need for third party assistance in managing cybersecurity threats and helps safeguard the Company’s operations, financial performance and reputation.
The Company’s cybersecurity program is designed to detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. The program utilises guidance drawn from the U.S. National Institute of Standards and Technology Cybersecurity Framework to set the cybersecurity agenda and prioritise cybersecurity activities. The strategies employed by the program, among others, include:
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance
Board and Audit Committee
The Board is responsible for overseeing management’s assessment of major risks, including cybersecurity, facing the Company and for reviewing options to mitigate such risks. The Board’s oversight of major risks, including cybersecurity risks, occurs at both the full Board level and at the Board committee level through the Audit Committee. The Company benefits from certain Board and Audit Committee members having considerable IT, data and cyber experience.
The Audit Committee regularly receives updates on cybersecurity risks and the security and operations of the Company’s information technology systems from the Chief Technology Officer (“CTO”). These updates generally include any significant cybersecurity incidents, cybersecurity threats, cybersecurity program enhancements, and cybersecurity risks and related mitigation activities. This reporting helps to provide the Audit Committee with an informed understanding of the Company’s dynamic cybersecurity program and threat landscape. The Audit Committee also receives an ERM framework twice a year, in which material cybersecurity risks are identified, assessed and managed.
The Audit Committee has opportunities to report regularly to the Board and review any major issues that arise at the committee level, which may include cybersecurity risks. Senior Management (including the CTO) also brief Board members, including new members, on cybersecurity risks. Based on this information, Board members may request additional information to address any concerns.
Management
The Company has a dedicated cybersecurity organization within its technology department that focuses on current and emerging cybersecurity matters. The Company’s cybersecurity function is led by the Head of Information Security, who reports to the CTO.
The Company’s cybersecurity function engages in a range of cybersecurity activities such as threat detection, security mechanisms, and incident response. The cybersecurity function conducts vulnerability management and penetration testing to identify and mitigate vulnerabilities. Regular meetings are held with the Head of Information Security and the CTO to provide visibility of major issues and seek alignment with strategy. As noted in the “Risk assessment, policies and procedures” section above, the Company’s cybersecurity incident response plan includes standard processes for reporting, escalating and recommending remediation actions for cybersecurity incidents to Senior Management. Cybersecurity incidents that meet certain thresholds are escalated to the cybersecurity leaders and cross-functional teams on an as-needed basis for support and guidance.
The Head of Information Security has approximately 30 years of IT experience across manufacturing, banking and aviation, including 13 years of cybersecurity experience. He holds the following relevant qualifications:
For details of the CTO’s experience, please see “Item 6. Directors, Senior Management and Employees — Senior Management”.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Audit Committee regularly receives updates on cybersecurity risks and the security and operations of the Company’s information technology systems from the Chief Technology Officer (“CTO”). These updates generally include any significant cybersecurity incidents, cybersecurity threats, cybersecurity program enhancements, and cybersecurity risks and related mitigation activities. This reporting helps to provide the Audit Committee with an informed understanding of the Company’s dynamic cybersecurity program and threat landscape. The Audit Committee also receives an ERM framework twice a year, in which material cybersecurity risks are identified, assessed and managed.
|Cybersecurity Risk Role of Management [Text Block]
|
The Company has a dedicated cybersecurity organization within its technology department that focuses on current and emerging cybersecurity matters. The Company’s cybersecurity function is led by the Head of Information Security, who reports to the CTO.
The Company’s cybersecurity function engages in a range of cybersecurity activities such as threat detection, security mechanisms, and incident response. The cybersecurity function conducts vulnerability management and penetration testing to identify and mitigate vulnerabilities. Regular meetings are held with the Head of Information Security and the CTO to provide visibility of major issues and seek alignment with strategy. As noted in the “Risk assessment, policies and procedures” section above, the Company’s cybersecurity incident response plan includes standard processes for reporting, escalating and recommending remediation actions for cybersecurity incidents to Senior Management. Cybersecurity incidents that meet certain thresholds are escalated to the cybersecurity leaders and cross-functional teams on an as-needed basis for support and guidance.
The Head of Information Security has approximately 30 years of IT experience across manufacturing, banking and aviation, including 13 years of cybersecurity experience. He holds the following relevant qualifications:
For details of the CTO’s experience, please see “Item 6. Directors, Senior Management and Employees — Senior Management”.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Head of Information Security
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Head of Information Security has approximately 30 years of IT experience across manufacturing, banking and aviation, including 13 years of cybersecurity experience. He holds the following relevant qualifications:
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Company’s cybersecurity function engages in a range of cybersecurity activities such as threat detection, security mechanisms, and incident response. The cybersecurity function conducts vulnerability management and penetration testing to identify and mitigate vulnerabilities. Regular meetings are held with the Head of Information Security and the CTO to provide visibility of major issues and seek alignment with strategy. As noted in the “Risk assessment, policies and procedures” section above, the Company’s cybersecurity incident response plan includes standard processes for reporting, escalating and recommending remediation actions for cybersecurity incidents to Senior Management. Cybersecurity incidents that meet certain thresholds are escalated to the cybersecurity leaders and cross-functional teams on an as-needed basis for support and guidance.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef