Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Air Group’s management and Board consider cybersecurity to be a critical component of the Company’s risk management plan. Our systems are subject to increasing and evolving cybersecurity risks. Unauthorized parties have attempted and continue to attempt to gain access to our systems and information, including through fraudulent misrepresentation and other means of deception. The systems of our suppliers, vendors, and other business partners are also at risk. The threat of cybersecurity incidents is included within our company’s annual Enterprise Risk Management (ERM) program that assesses the most significant risks to the enterprise.

Because of the industry in which we operate, we are subject to extensive cybersecurity regulation, including but not limited to those regulations overseen by the FAA, TSA, and DOT. As a result, it is imperative our cybersecurity risk management is well-planned and sufficiently robust to maintain compliance with these regulations.

As part of our annual review of our cybersecurity risk management, we engage third-parties for a variety of processes including external audits, vulnerability assessments, and penetration tests. These processes help ensure our overarching strategy remains effective over time.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Air Group’s management and Board consider cybersecurity to be a critical component of the Company’s risk management plan. Our systems are subject to increasing and evolving cybersecurity risks. Unauthorized parties have attempted and continue to attempt to gain access to our systems and information, including through fraudulent misrepresentation and other means of deception. The systems of our suppliers, vendors, and other business partners are also at risk. The threat of cybersecurity incidents is included within our company’s annual Enterprise Risk Management (ERM) program that assesses the most significant risks to the enterprise.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

The Board of Directors of Alaska Air Group is responsible for overseeing management’s processes to identify and mitigate risks, including cybersecurity risks. The Board’s Audit Committee leads the review and discussion of cybersecurity threats with management and receives updates from the CISO each quarter. Senior management, including the CISO, are available to address questions or concerns from the Audit Committee related to our risk management plan.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Board’s Audit Committee leads the review and discussion of cybersecurity threats with management and receives updates from the CISO each quarter. Senior management, including the CISO, are available to address questions or concerns from the Audit Committee related to our risk management plan.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Board of Directors of Alaska Air Group is responsible for overseeing management’s processes to identify and mitigate risks, including cybersecurity risks. The Board’s Audit Committee leads the review and discussion of cybersecurity threats with management and receives updates from the CISO each quarter. Senior management, including the CISO, are available to address questions or concerns from the Audit Committee related to our risk management plan.

Cybersecurity Risk Role of Management [Text Block]

The Company’s Chief Information Security Officer (CISO) is responsible for management of material risks from cybersecurity threats. The CISO has multiple years of experience working in information and network security management, and has in-depth knowledge of compliance requirements and standards set by various regulatory agencies. The CISO leads a team dedicated to the prevention, mitigation, detection, and remediation of any cybersecurity incidents. If a potential incident is identified, the CISO is notified and engages the cybersecurity incident response team (CyberSIRT). This team is responsible for declaring a cybersecurity incident and comprises individuals from multiple relevant departments. In the event the CyberSIRT declares an incident, the CISO provides overall direction for the response and mitigation of the threat. This response includes actions taken to protect our data and networks, evaluation of the potential materiality of the incident, and the communication of the incident to critical parties, including senior leadership and the Board of Directors.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

The Company’s Chief Information Security Officer (CISO) is responsible for management of material risks from cybersecurity threats. The CISO has multiple years of experience working in information and network security management, and has in-depth knowledge of compliance requirements and standards set by various regulatory agencies. The CISO leads a team dedicated to the prevention, mitigation, detection, and remediation of any cybersecurity incidents. If a potential incident is identified, the CISO is notified and engages the cybersecurity incident response team (CyberSIRT). This team is responsible for declaring a cybersecurity incident and comprises individuals from multiple relevant departments. In the event the CyberSIRT declares an incident, the CISO provides overall direction for the response and mitigation of the threat. This response includes actions taken to protect our data and networks, evaluation of the potential materiality of the incident, and the communication of the incident to critical parties, including senior leadership and the Board of Directors.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The CISO has multiple years of experience working in information and network security management, and has in-depth knowledge of compliance requirements and standards set by various regulatory agencies.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The Company’s Chief Information Security Officer (CISO) is responsible for management of material risks from cybersecurity threats. The CISO has multiple years of experience working in information and network security management, and has in-depth knowledge of compliance requirements and standards set by various regulatory agencies. The CISO leads a team dedicated to the prevention, mitigation, detection, and remediation of any cybersecurity incidents. If a potential incident is identified, the CISO is notified and engages the cybersecurity incident response team (CyberSIRT). This team is responsible for declaring a cybersecurity incident and comprises individuals from multiple relevant departments. In the event the CyberSIRT declares an incident, the CISO provides overall direction for the response and mitigation of the threat. This response includes actions taken to protect our data and networks, evaluation of the potential materiality of the incident, and the communication of the incident to critical parties, including senior leadership and the Board of Directors.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true