|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
Risk management and strategy
We prioritize the management of cybersecurity risk and the protection of information across our enterprise by embedding data protection and cybersecurity risk management in our operations. Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes.
As a foundation of this approach, we have implemented a layered governance structure to help assess, identify, manage and report cybersecurity risks. Our cybersecurity program leverages the NIST Framework, which outlines the core components and responsibilities necessary to sustain a healthy and well-balanced cybersecurity program. To protect our network and information systems from cybersecurity threats, we use various security tools and policies that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools.
We have a number of policies and procedures supporting the cybersecurity program, including a comprehensive enterprise cybersecurity incident response plan which is activated in the event of a cybersecurity incident. The incident response plan is a detailed playbook that specifies how Gogo classifies, responds to, and recovers from cybersecurity incidents and includes notification procedures that vary depending on the significance of the incident. When warranted by the severity of the incident, the Board, the Audit Committee, the Chief Executive Officer and other senior executives are part of the notification chain.
We conduct regular reviews and tests of our cybersecurity program, which includes tabletop exercises, penetration and vulnerability testing, simulations, and other exercises, as well as leverage audits by our internal audit team to evaluate the effectiveness of our cybersecurity program and controls and improve our security measures and planning. We also engage external auditors to review our cybersecurity program and controls, as well as engage third parties to perform penetration testing and vulnerability scanning of our public and private assets.
With respect to third-party service providers, we obligate our vendors to adhere to privacy and cybersecurity measures through various contractual provisions to the extent possible, and we perform risk assessments of vendors as appropriate from time to time, which includes a vendor’s ability to protect data from unauthorized access.
As described in Item 1A “Risk Factors,” our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks. Computer viruses, hackers, employee or vendor misconduct and other external hazards could expose our information systems and those of our vendors to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our business, including the loss of customer confidence, reputational harm, our operating results and our financial condition. We have insurance designed to cover certain expenses relating to cybersecurity incidents; however, damage and claims arising from a cybersecurity incident may exceed the amount of any insurance available. While we have experienced cybersecurity incidents, to date, we do not believe that we experienced a material cybersecurity incident during the fiscal year ended December 31, 2024.
The sophistication of cybersecurity threats, including through the use of artificial intelligence, continues to increase, and the controls and preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may be insufficient. In addition, new technology that could result in greater operational efficiency such as our contemplated use of artificial intelligence may further expose our computer systems to the risk of cybersecurity incidents.
Governance
As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, which involves Board and Audit Committee oversight, senior and department executive leadership focus and commitment, and employee training. Our Audit Committee, comprised entirely of independent directors from our Board, oversees the Board’s responsibilities relating to the operational (including information technology (“IT”) risks, business continuity and data security) risk affairs of the Company. Our Audit Committee is informed of such risks through annual assessments, quarterly reporting and regular updates from members of the Company’s executive leadership team, cybersecurity and data privacy leadership team, as well as the Internal Audit team.
Our Senior Vice President, Chief Information Security Officer (“CISO”), leads our cybersecurity team and has over 15 years of experience establishing and leading comprehensive cybersecurity programs. Our CISO retired from the United States Navy, where he served in various roles with increasing responsibility, most recently serving as the Director of Operations – Navy Cyber Defense
Operations Command. In that role, our CISO led a team of 450 personnel overseeing networks with more than 800,000 endpoints and more than 200 IT, Cloud, Legacy, and Operational Technology networks globally. We believe that our CISO’s technical expertise and background assist us with the navigation of the extensive regulatory framework to which we are subject as a federal contractor, including the achievement of the Cybersecurity Maturity Model Certification (“CMMC”) program. We believe we are well-positioned to meet the requirements of CMMC and are preparing for certification.
We also have management level committees and a cybersecurity incident team who support our processes to assess and manage cybersecurity risk as follows:
•
The Cybersecurity Cross Functional Team (the “Cybersecurity CFT”), led by our CISO, brings together IT, legal, compliance and other function heads. The Cybersecurity CFT meets at least quarterly (or more frequently as needed) and provides a forum for these cross-functional members of management to: consider emerging technologies, such as artificial intelligence and emerging cybersecurity risks; review cybersecurity and privacy regulations; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise.
•
The Gogo Executive Cybersecurity Committee (the “GECC”) is comprised of executive leadership and members of the cybersecurity, operations, risk, legal, and internal audit teams. The GECC liaises with the Cybersecurity CFT and provides oversight of all aspects of Gogo’s cybersecurity program and, at regular intervals through the year, evaluates key cybersecurity metrics as well as planned and ongoing initiatives to reduce cybersecurity risks.
•
The Incident Response Management Team (the “IRMT”), which includes senior executives and members of our cybersecurity leadership team, was established to support our incident response plan and reports into the GECC. Members of the IRMT are alerted as appropriate to cybersecurity incidents, natural disasters and business outages. The IRMT annually assesses its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss the event and response options. The IRMT also engages with the Company’s Board and the Audit Committee depending on the severity of the cybersecurity incident.
The output of each of the foregoing committees are collected and analyzed on a regular basis and our CISO briefs the Audit Committee, through quarterly updates as well as on an ad hoc basis between regular updates to the extent needed.
At the employee level, we maintain an experienced IT team tasked with implementing our privacy and cybersecurity program and supporting our cybersecurity leader in carrying out reporting, security and mitigation functions. We continuously seek to promote awareness of cybersecurity risk through communication and education of our employee population, and have a mandatory training program which covers privacy and cybersecurity (including phishing tests) and records and information management.
With respect to third party service providers, we obligate our vendors to adhere to privacy and cybersecurity measures, and we perform risk assessments of vendors, including their ability to protect data from unauthorized access.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We prioritize the management of cybersecurity risk and the protection of information across our enterprise by embedding data protection and cybersecurity risk management in our operations. Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, which involves Board and Audit Committee oversight, senior and department executive leadership focus and commitment, and employee training. Our Audit Committee, comprised entirely of independent directors from our Board, oversees the Board’s responsibilities relating to the operational (including information technology (“IT”) risks, business continuity and data security) risk affairs of the Company. Our Audit Committee is informed of such risks through annual assessments, quarterly reporting and regular updates from members of the Company’s executive leadership team, cybersecurity and data privacy leadership team, as well as the Internal Audit team.
Our Senior Vice President, Chief Information Security Officer (“CISO”), leads our cybersecurity team and has over 15 years of experience establishing and leading comprehensive cybersecurity programs. Our CISO retired from the United States Navy, where he served in various roles with increasing responsibility, most recently serving as the Director of Operations – Navy Cyber Defense
Operations Command. In that role, our CISO led a team of 450 personnel overseeing networks with more than 800,000 endpoints and more than 200 IT, Cloud, Legacy, and Operational Technology networks globally. We believe that our CISO’s technical expertise and background assist us with the navigation of the extensive regulatory framework to which we are subject as a federal contractor, including the achievement of the Cybersecurity Maturity Model Certification (“CMMC”) program. We believe we are well-positioned to meet the requirements of CMMC and are preparing for certification.
We also have management level committees and a cybersecurity incident team who support our processes to assess and manage cybersecurity risk as follows:
•
The Cybersecurity Cross Functional Team (the “Cybersecurity CFT”), led by our CISO, brings together IT, legal, compliance and other function heads. The Cybersecurity CFT meets at least quarterly (or more frequently as needed) and provides a forum for these cross-functional members of management to: consider emerging technologies, such as artificial intelligence and emerging cybersecurity risks; review cybersecurity and privacy regulations; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise.
•
The Gogo Executive Cybersecurity Committee (the “GECC”) is comprised of executive leadership and members of the cybersecurity, operations, risk, legal, and internal audit teams. The GECC liaises with the Cybersecurity CFT and provides oversight of all aspects of Gogo’s cybersecurity program and, at regular intervals through the year, evaluates key cybersecurity metrics as well as planned and ongoing initiatives to reduce cybersecurity risks.
•
The Incident Response Management Team (the “IRMT”), which includes senior executives and members of our cybersecurity leadership team, was established to support our incident response plan and reports into the GECC. Members of the IRMT are alerted as appropriate to cybersecurity incidents, natural disasters and business outages. The IRMT annually assesses its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss the event and response options. The IRMT also engages with the Company’s Board and the Audit Committee depending on the severity of the cybersecurity incident.
The output of each of the foregoing committees are collected and analyzed on a regular basis and our CISO briefs the Audit Committee, through quarterly updates as well as on an ad hoc basis between regular updates to the extent needed.
At the employee level, we maintain an experienced IT team tasked with implementing our privacy and cybersecurity program and supporting our cybersecurity leader in carrying out reporting, security and mitigation functions. We continuously seek to promote awareness of cybersecurity risk through communication and education of our employee population, and have a mandatory training program which covers privacy and cybersecurity (including phishing tests) and records and information management.
With respect to third party service providers, we obligate our vendors to adhere to privacy and cybersecurity measures, and we perform risk assessments of vendors, including their ability to protect data from unauthorized access.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, which involves Board and Audit Committee oversight, senior and department executive leadership focus and commitment, and employee training. Our Audit Committee, comprised entirely of independent directors from our Board, oversees the Board’s responsibilities relating to the operational (including information technology (“IT”) risks, business continuity and data security) risk affairs of the Company.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Audit Committee is informed of such risks through annual assessments, quarterly reporting and regular updates from members of the Company’s executive leadership team, cybersecurity and data privacy leadership team, as well as the Internal Audit team.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Senior Vice President, Chief Information Security Officer (“CISO”), leads our cybersecurity team and has over 15 years of experience establishing and leading comprehensive cybersecurity programs. Our CISO retired from the United States Navy, where he served in various roles with increasing responsibility, most recently serving as the Director of Operations – Navy Cyber Defense
Operations Command. In that role, our CISO led a team of 450 personnel overseeing networks with more than 800,000 endpoints and more than 200 IT, Cloud, Legacy, and Operational Technology networks globally. We believe that our CISO’s technical expertise and background assist us with the navigation of the extensive regulatory framework to which we are subject as a federal contractor, including the achievement of the Cybersecurity Maturity Model Certification (“CMMC”) program. We believe we are well-positioned to meet the requirements of CMMC and are preparing for certification.
We also have management level committees and a cybersecurity incident team who support our processes to assess and manage cybersecurity risk as follows:
•
The Cybersecurity Cross Functional Team (the “Cybersecurity CFT”), led by our CISO, brings together IT, legal, compliance and other function heads. The Cybersecurity CFT meets at least quarterly (or more frequently as needed) and provides a forum for these cross-functional members of management to: consider emerging technologies, such as artificial intelligence and emerging cybersecurity risks; review cybersecurity and privacy regulations; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise.
•
The Gogo Executive Cybersecurity Committee (the “GECC”) is comprised of executive leadership and members of the cybersecurity, operations, risk, legal, and internal audit teams. The GECC liaises with the Cybersecurity CFT and provides oversight of all aspects of Gogo’s cybersecurity program and, at regular intervals through the year, evaluates key cybersecurity metrics as well as planned and ongoing initiatives to reduce cybersecurity risks.
•
The Incident Response Management Team (the “IRMT”), which includes senior executives and members of our cybersecurity leadership team, was established to support our incident response plan and reports into the GECC. Members of the IRMT are alerted as appropriate to cybersecurity incidents, natural disasters and business outages. The IRMT annually assesses its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss the event and response options. The IRMT also engages with the Company’s Board and the Audit Committee depending on the severity of the cybersecurity incident.
The output of each of the foregoing committees are collected and analyzed on a regular basis and our CISO briefs the Audit Committee, through quarterly updates as well as on an ad hoc basis between regular updates to the extent needed.
At the employee level, we maintain an experienced IT team tasked with implementing our privacy and cybersecurity program and supporting our cybersecurity leader in carrying out reporting, security and mitigation functions. We continuously seek to promote awareness of cybersecurity risk through communication and education of our employee population, and have a mandatory training program which covers privacy and cybersecurity (including phishing tests) and records and information management.
With respect to third party service providers, we obligate our vendors to adhere to privacy and cybersecurity measures, and we perform risk assessments of vendors, including their ability to protect data from unauthorized access.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
•
The Cybersecurity Cross Functional Team (the “Cybersecurity CFT”), led by our CISO, brings together IT, legal, compliance and other function heads. The Cybersecurity CFT meets at least quarterly (or more frequently as needed) and provides a forum for these cross-functional members of management to: consider emerging technologies, such as artificial intelligence and emerging cybersecurity risks; review cybersecurity and privacy regulations; approve, review and update policies and standards as appropriate; and promote cross-functional collaboration to manage cybersecurity and privacy risks across the enterprise.
•The Incident Response Management Team (the “IRMT”), which includes senior executives and members of our cybersecurity leadership team, was established to support our incident response plan and reports into the GECC. Members of the IRMT are alerted as appropriate to cybersecurity incidents, natural disasters and business outages. The IRMT annually assesses its communication plan to confirm that its members can be alerted quickly in the event of an actual crisis and meet as a team to discuss the event and response options. The IRMT also engages with the Company’s Board and the Audit Committee depending on the severity of the cybersecurity incident
The Gogo Executive Cybersecurity Committee (the “GECC”) is comprised of executive leadership and members of the cybersecurity, operations, risk, legal, and internal audit teams. The GECC liaises with the Cybersecurity CFT and provides oversight of all aspects of Gogo’s cybersecurity program and, at regular intervals through the year, evaluates key cybersecurity metrics as well as planned and ongoing initiatives to reduce cybersecurity risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our Senior Vice President, Chief Information Security Officer (“CISO”), leads our cybersecurity team and has over 15 years of experience establishing and leading comprehensive cybersecurity programs. Our CISO retired from the United States Navy, where he served in various roles with increasing responsibility, most recently serving as the Director of Operations – Navy Cyber DefenseOperations Command. In that role, our CISO led a team of 450 personnel overseeing networks with more than 800,000 endpoints and more than 200 IT, Cloud, Legacy, and Operational Technology networks globally. We believe that our CISO’s technical expertise and background assist us with the navigation of the extensive regulatory framework to which we are subject as a federal contractor, including the achievement of the Cybersecurity Maturity Model Certification (“CMMC”) program. We believe we are well-positioned to meet the requirements of CMMC and are preparing for certification.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The output of each of the foregoing committees are collected and analyzed on a regular basis and our CISO briefs the Audit Committee, through quarterly updates as well as on an ad hoc basis between regular updates to the extent needed.At the employee level, we maintain an experienced IT team tasked with implementing our privacy and cybersecurity program and supporting our cybersecurity leader in carrying out reporting, security and mitigation functions.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef