|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Mar. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY
Viasat Cybersecurity Risk Management, Strategy and Governance Disclosure
Viasat builds, maintains, and operates satellite and telecommunications systems, infrastructure and services used by both government and commercial customers across the globe. We recognize the importance of building a resilient cybersecurity program focused on reducing cybersecurity risk to our customers, partners and our own organization. Our Cybersecurity Engineering organization, at the direction of the Board of Directors, has developed and implemented a cybersecurity risk management and technical assistance program intended to protect the confidentiality, integrity and availability of the services provided and the information stored, processed or transmitted by our critical systems and infrastructure, while assisting staff to develop, operate and maintain secure products and services.
Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated governance of cybersecurity and other technology risks to the Audit Committee (the Committee). Our executive management is ultimately responsible for assessing and managing risks from cybersecurity threats we face, and in this regard works closely with the Chief Information Security Officer (CISO) who reports to our Chief Corporate Officer. The Committee oversees management’s design and implementation of our cybersecurity risk management program and receives periodic reports, at least semi-annually, from the CISO on cybersecurity risks, the threat landscape, and our cybersecurity planning roadmap. In addition, the CISO updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as other relevant incidents and potential or mitigated threats. The Committee reports to the Board of Directors regarding its activities, including those related to cybersecurity, and may request the CISO brief the Board of Directors on the status of cybersecurity and risk management programs, as well as relevant incidents and threats. Board members also receive periodic presentations on key cybersecurity topics from the CISO.
Our operational cybersecurity team is led by the CISO. The CISO has 31 years of experience in Information Technology and Security, with extensive experience designing, operating and protecting satellite and terrestrial telecommunications networks. The CISO also leads Viasat’s engagement with the private sector and government security communities, which includes facilitating active information sharing with these partners. As part of the acquisition and continuing integration of Inmarsat, the legacy Inmarsat cybersecurity team joined the Viasat Security Engineering organization. The engineering and operational cybersecurity teams of both legacy organizations jointly participate in local and national cybersecurity organizations, teach classes on cybersecurity, maintain numerous relevant certifications, and participate in training relevant to their field of expertise.
The cybersecurity risk management program at Viasat is centered around an internally developed set of security principles and requirements, known as the “Foundational Security Principles”. The Foundational Security Principles, which we seek to apply across our products and services to promote security resiliency and repeatability, represents a minimum baseline of information security requirements. These principles have a focus on secure-by-design approaches for new products and services, and provide the basis for risk-informed control implementations for legacy networks and systems. Our Foundational Security Principals are designed with reference to the current published version of industry frameworks including, but not limited to, NIST Cybersecurity Framework, International Standards Organization (ISO) 27001, Payment Card Industry (PCI) Data Security Standard (DSS), National Institute of Standards and Technology (NIST) 800-171, and tailored baselines of NIST 800-53. This does not imply that we have implemented each, or any specific, technical standard, specification or configuration embedded in these frameworks but rather that they collectively inform and guide our identification, assessment and management of cybersecurity risks relevant to our businesses. Certain IT environments with higher risk or contractual, regulatory or customer requirements, or those environments where processing or storing sensitive types of information are required, are designed to comply with stricter sets of security requirements or security control frameworks.
Integration efforts continue between legacy Viasat and Inmarsat’s cybersecurity departments. Viasat is actively merging policies, processes, and operations security practices and operational footprints ensuring we have appropriate security tools and solutions that align with our business objectives and security requirements. The combined Viasat and Inmarsat cybersecurity organizations report to Viasat’s CISO and remain focused on the overall Viasat and Inmarsat satellite service network and corporate integration activities.
Functionally, our cybersecurity team performs internal and external risk assessments and testing on both internally and externally developed systems, as well as certain third-party and supply chain partner ecosystems based on our assessment of their respective operational criticality and risk profile. Depending on the risks presented, this may include some combination of manual and automation-driven testing methods and supply chain risk management activities such as hardware and software assurance assessments, anti-counterfeit measures, and the use of trusted suppliers. Compliance with security policies, procedures, and standards are assessed, and depending on the potential risks posed to us, third-party assessments may be performed, including penetration tests, red team engagements, gap assessments, and compliance certification assessments. We also conduct several 3rd party compliance and audit assessments, including PCI DSS Tier 1 Merchant and Service Provider, ISO27001, UK Cyber Essentials Plus, and DFARS 252.204-7012 High Assurance assessments.
The cybersecurity team also closely collaborates with our physical security team on planning, risk assessment, and incident response where appropriate, as well as developing and delivering a joint annual security training and education program that engages our employees, appropriate partners and third parties in a security training program that incorporates both cybersecurity and physical security elements. Additionally, our annual security training program supports additional focused security training for personnel handling certain sensitive information such as payment card information (PCI), controlled unclassified information (CUI), or personally identifiable information (PII).
To better understand Viasat’s threat landscape we partner with multiple U.S. government agencies to acquire and share cybersecurity threat intelligence related to threats, vulnerabilities, indicators of compromise, and current, relevant threat information that are expected as a cleared defense contractor and active Defense Industrial Base (DIB) member. Partner entities include the Defense Cyber Crime Center (DC3), Defense Cybersecurity Information Sharing Environment (DCISE), DCMA, National Security Agency Cybersecurity Collaboration Center (NSA CCC), and Defense Counterintelligence and Security Agency (DCSA). Viasat is also an active participant in several Information Sharing and Analysis Centers (ISACs), including the National Defense (ND-ISAC), Aviation (A-ISAC), and Space (Space ISAC).
Our cybersecurity engineering teams have personnel dedicated to detection engineering activities that leverage threat intel gathered to mitigate the impact of security events. Security detection and operations teams are responsible for detection activities including 7x24 staffed Cybersecurity Operations Centers responsible for monitoring our service provider networks and internal corporate and development environments. Various automated tools are used for detection and remediation, with support from experienced detection and response analysts and engineers.
When security events do occur, we employ a security incident response process that is designed to contain, eradicate, and recover operations as quickly as possible, while preserving forensic evidence for further analysis and potential attribution. We leverage multiple third parties for incident response and forensic support on retainer as necessary to assist during the incident response and remediation phases. We also maintain cybersecurity insurance in the event of cybersecurity related damages or data loss as a result of a cybersecurity incident or unauthorized data disclosure.
During fiscal year 2025, we did not identify risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our operations, business strategy, results of operations, or financial condition. We face ongoing risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors – Our Reputation and Business Could Be Materially Harmed as a Result of Data Breaches, Data Theft, Unauthorized Access or Hacking” in Part I, Item 1A of this report.
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity engineering teams have personnel dedicated to detection engineering activities that leverage threat intel gathered to mitigate the impact of security events. Security detection and operations teams are responsible for detection activities including 7x24 staffed Cybersecurity Operations Centers responsible for monitoring our service provider networks and internal corporate and development environments. Various automated tools are used for detection and remediation, with support from experienced detection and response analysts and engineers.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated governance of cybersecurity and other technology risks to the Audit Committee (the Committee). Our executive management is ultimately responsible for assessing and managing risks from cybersecurity threats we face, and in this regard works closely with the Chief Information Security Officer (CISO) who reports to our Chief Corporate Officer. The Committee oversees management’s design and implementation of our cybersecurity risk management program and receives periodic reports, at least semi-annually, from the CISO on cybersecurity risks, the threat landscape, and our cybersecurity planning roadmap. In addition, the CISO updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as other relevant incidents and potential or mitigated threats. The Committee reports to the Board of Directors regarding its activities, including those related to cybersecurity, and may request the CISO brief the Board of Directors on the status of cybersecurity and risk management programs, as well as relevant incidents and threats. Board members also receive periodic presentations on key cybersecurity topics from the CISO.
Our operational cybersecurity team is led by the CISO. The CISO has 31 years of experience in Information Technology and Security, with extensive experience designing, operating and protecting satellite and terrestrial telecommunications networks. The CISO also leads Viasat’s engagement with the private sector and government security communities, which includes facilitating active information sharing with these partners. As part of the acquisition and continuing integration of Inmarsat, the legacy Inmarsat cybersecurity team joined the Viasat Security Engineering organization. The engineering and operational cybersecurity teams of both legacy organizations jointly participate in local and national cybersecurity organizations, teach classes on cybersecurity, maintain numerous relevant certifications, and participate in training relevant to their field of expertise.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated governance of cybersecurity and other technology risks to the Audit Committee (the Committee). Our executive management is ultimately responsible for assessing and managing risks from cybersecurity threats we face, and in this regard works closely with the Chief Information Security Officer (CISO) who reports to our Chief Corporate Officer. The Committee oversees management’s design and implementation of our cybersecurity risk management program and receives periodic reports, at least semi-annually, from the CISO on cybersecurity risks, the threat landscape, and our cybersecurity planning roadmap. In addition, the CISO updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as other relevant incidents and potential or mitigated threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Committee reports to the Board of Directors regarding its activities, including those related to cybersecurity, and may request the CISO brief the Board of Directors on the status of cybersecurity and risk management programs, as well as relevant incidents and threats. Board members also receive periodic presentations on key cybersecurity topics from the CISO.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated governance of cybersecurity and other technology risks to the Audit Committee (the Committee). Our executive management is ultimately responsible for assessing and managing risks from cybersecurity threats we face, and in this regard works closely with the Chief Information Security Officer (CISO) who reports to our Chief Corporate Officer. The Committee oversees management’s design and implementation of our cybersecurity risk management program and receives periodic reports, at least semi-annually, from the CISO on cybersecurity risks, the threat landscape, and our cybersecurity planning roadmap. In addition, the CISO updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as other relevant incidents and potential or mitigated threats. The Committee reports to the Board of Directors regarding its activities, including those related to cybersecurity, and may request the CISO brief the Board of Directors on the status of cybersecurity and risk management programs, as well as relevant incidents and threats. Board members also receive periodic presentations on key cybersecurity topics from the CISO.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our executive management is ultimately responsible for assessing and managing risks from cybersecurity threats we face, and in this regard works closely with the Chief Information Security Officer (CISO) who reports to our Chief Corporate Officer. The Committee oversees management’s design and implementation of our cybersecurity risk management program and receives periodic reports, at least semi-annually, from the CISO on cybersecurity risks, the threat landscape, and our cybersecurity planning roadmap.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our operational cybersecurity team is led by the CISO. The CISO has 31 years of experience in Information Technology and Security, with extensive experience designing, operating and protecting satellite and terrestrial telecommunications networks. The CISO also leads Viasat’s engagement with the private sector and government security communities, which includes facilitating active information sharing with these partners. As part of the acquisition and continuing integration of Inmarsat, the legacy Inmarsat cybersecurity team joined the Viasat Security Engineering organization. The engineering and operational cybersecurity teams of both legacy organizations jointly participate in local and national cybersecurity organizations, teach classes on cybersecurity, maintain numerous relevant certifications, and participate in training relevant to their field of expertise.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Committee oversees management’s design and implementation of our cybersecurity risk management program and receives periodic reports, at least semi-annually, from the CISO on cybersecurity risks, the threat landscape, and our cybersecurity planning roadmap.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef