AeroVironment Inc 10-K Cybersecurity GRC - 2024-06-26

Page last updated on July 16, 2024

AeroVironment Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-26 19:15:00 EDT.

Filings

10-K filed on 2024-06-26

AeroVironment Inc filed a 10-K at 2024-06-26 19:15:00 EDT
Accession Number: 0001558370-24-009515

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We face various cybersecurity threats, including denial-of-service attacks, ransomware, phishing, and advanced persistent threats. In addition, as an aerospace and defense company that provides sophisticated defense products and services to the U.S. and foreign governments, we are also subject to cybersecurity risks from organized adversaries, including groups affiliated with various nation states. Our customers, suppliers, subcontractors and vendors also face similar threats. Cybersecurity incidents impacting us or any of these third parties could have a material adverse effect on our operations, financial condition and results of operations. Given the cybersecurity risks we face, we believe it is imperative that we dedicate ample resources to addressing and mitigating our cyber risks. Risk Management and Strategy Our cybersecurity program is designed to identify, detect, protect against, respond to, and recover from cyber risks from the cyber threats we face. Our cybersecurity program is part of our internal risk management processes. We continually improve and revise our cybersecurity practices as new threats and vulnerabilities emerge. Our Chief Information Security Officer (“CISO”) and our Director of Global Cybersecurity (“Cybersecurity Director”) lead our Detection and Response Team (“DART”), which is responsible for our cybersecurity incident response processes pursuant to our Incident Response Plan and playbooks. The DART consists of members of our IT department responsible for protecting against, detecting, containing, mitigating, and recovering from cybersecurity incidents. The DART evaluates and assigns severity levels to cybersecurity incidents, and based on the severity, escalates and engages incident response teams based on severity, and responds to and mitigates the related risks. Our cybersecurity team proactively hunts for cyber threats and vulnerabilities in our networks and information systems as part of our cyber risk management program, including by monitoring our networks and systems for intrusions and other suspicious activity. The cybersecurity team stays apprised of existing and emerging cybersecurity threats, including by partnering with third parties, such as the U.S. government, law enforcement agencies, customers, and other defense industry participants to share and receive information on emerging threats and expanding our cybersecurity knowledge and global monitoring practices. We also engage third parties to conduct evaluations of our cybersecurity controls, such as penetration testing and controlled cybersecurity framework audits. We also review the cybersecurity practices of our third-party service providers. We have aligned our cybersecurity program to the National Institute of Standards and Technology’s (“NIST”) published cybersecurity standards and our policies and processes are compliant with NIST Special Publication 800-171 and other applicable publications. Given our status as a defense contractor, we are subject to numerous regulations, including those pursuant to the Defense Federal Acquisition Regulation Supplement, (“DFARS”) requiring us to have controls in place to protect U.S. Government controlled unclassified information (“CUI”) and to report cybersecurity incidents to the DoD. We will also be subject to the DoD Cybersecurity Maturity Model Certification (“CMMC”) requirements, which will require companies like AeroVironment that do business with the DoD to obtain specific third-party certifications relating to specified cybersecurity standards to be eligible for new contract awards. We are in the process of preparing for the CMMC requirements. While we believe we are in a good position to meet the requirements of CMMC, if we fail to achieve certification in advance of contract awards, or we fail to achieve certification at the level required for a particular contract award, we will be unable to bid on such contract awards or follow-on awards for existing work with the DoD, which could adversely impact our results of operations. Additionally, our subcontractors, and certain of our vendors, may also need to comply with CMMC requirements and, potentially obtain CMMC certification. We may be negatively impacted if our subcontractors or vendors are not compliant with CMMC requirements. We require our employees to take cybersecurity-related training regularly that promotes awareness of how to detect, report, and respond to cybersecurity threats. Employees with certain roles and responsibilities are also assigned cyber training for their specific functions. We also maintain an Insider Threat program, headed by our Director of Security, to identify, assess and deal with potential risks from within our company, including cyber risks. Governance Our CISO and our Cybersecurity Director are responsible for the day-to-day management of our cybersecurity program and cybersecurity risks. Our CISO, who has approximately 24 years in various information technology and cybersecurity roles, and our Cybersecurity Director, who has approximately 20 years of experience in various cybersecurity roles, are primarily responsible for our overall cybersecurity risk management program and supervise both internal and external resources to identify, protect against, detect, respond to, and recover from cybersecurity risks, threats, and incidents. Our Cybersecurity Director leads our internal Cybersecurity Council, which meets monthly to help implement management’s cybersecurity strategy and to monitor and manage our cybersecurity threats and risks. Our Cybersecurity Council consists of the Cybersecurity Director, CISO, Chief Financial Officer, General Counsel and Chief Compliance Officer, Chief Technology Officer, Vice President of Internal Audit, Vice President of Global Supply Chain, Director of Security, and Sr. Manager of Contracts Operations and Compliance. The CISO and/or Cybersecurity Director report cybersecurity incidents to members of the company’s senior management, including the Cybersecurity Council, and/or the Board of Directors based on the severity and type of the incident to ensure that proper external reporting is completed thoroughly and timely. Pursuant to its charter, the Cybersecurity Committee of our board of directors is responsible for reviewing, discussing, and making recommendations to the full board of directors regarding cybersecurity matters. Our CISO and Cybersecurity Director provide presentations to the Cybersecurity Committee on our cybersecurity program at each of the committee’s regularly scheduled quarterly meetings. These briefings include assessments of the cyber risk and threats landscape, updates on incidents, policies and procedures, and our investments and plans in cybersecurity risk mitigation and governance. The Cybersecurity Committee also meets with members of the Cybersecurity Council to discuss various aspects of our cybersecurity program in between regular meetings. All members of the board of directors are invited to attend all meetings of the Cybersecurity Committee and the committee regularly briefs the entire board of directors regarding their oversight of our cybersecurity program. Cybersecurity Threats We have experienced cybersecurity incidents in the past and will experience cybersecurity incidents in the future. Prior cybersecurity incidents have not materially affected, or are reasonably likely to affect, our business strategy, results of operations or financial condition, however, there is no guarantee that a future cybersecurity incident would not have a material adverse effect on such items. While we believe our cybersecurity program is designed to mitigate cybersecurity risks, we cannot eliminate all risks from cybersecurity threats. See Item 1A. Risk Factors for more information on our cybersecurity risks.

Company Information