AIR T INC 10-K Cybersecurity GRC - 2024-06-26

Page last updated on July 16, 2024

AIR T INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-26 17:00:54 EDT.

Filings

10-K filed on 2024-06-26

AIR T INC filed a 10-K at 2024-06-26 17:00:54 EDT
Accession Number: 0000353184-24-000062

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy To effectively prevent, detect, and respond to cybersecurity threats, the Company employs a multi-faceted cybersecurity risk management program supervised by our Vice President of Technology (VP of Tech), who reports directly to our CEO. The VP of Tech is responsible for leading our enterprise cybersecurity strategy. This responsibility includes establishing processes designed to prevent and monitor potential cybersecurity risks, assessing potential cybersecurity incidents, implementing mitigation measures, and maintaining the cybersecurity program itself. We do this so that we can continuously enhance our cybersecurity capabilities and strengthen our defensive posture. Our capabilities, processes, and other security measures also include, without limitation: - Endpoint Detection and Response software, which monitors for malicious activities on external-facing endpoints (computers, servers, etc.). - Managed Detection and Response partnership with a third-party security firm, which monitors these endpoints on a continual basis. - Cloud monitoring, running on primary public and private cloud environments. - Disaster recovery and incident response plans, including a ransomware response plan. - Training for all personnel with access to digital assets. Cybersecurity risk management is an integral part of overall enterprise risk management. As part of its enterprise risk management efforts, the Board of Directors meets with the executive leadership team to assess and respond to critical business risks. These assessments include a review of our cybersecurity programs, as well as an overview of trending cyber threats based on industry intelligence and potential mitigation strategies. Performing these assessments regularly enables the Company to determine key business objectives and the IT assets and capabilities needed to achieve them. In addition, the assessments also provide the executive leadership and the Board of Directors an understanding of the Company’s security landscape and allows it to prepare to respond to threats. Cybersecurity threats continue to be identified as one of the Company’s significant risks, with our VP of Tech assigned as the risk owner. Our VP of Tech has developed expertise in cybersecurity and compliance, enterprise architecture and road mapping, data analytics and customer service through his eighteen years of experience in the information technology space including over thirteen years in senior leadership roles. He is currently a Certified Information Systems Security Professional (CISSP) and he holds a Master’s degree in Software from the University of St. Thomas. Governance The Board of Directors has delegated primary responsibility for the oversight of cybersecurity and information technology risks, and the Company’s preparedness for these risks, to the Audit Committee. The Audit Committee serves and functions as the Board of Directors primary oversight body to monitor the Company’s cybersecurity and related information technology risks. The Audit Committee receives periodic updates from the VP of Tech on the Company’s policies, processes, procedures, and any significant development related to the identification, mitigation and remediation of cybersecurity risks.The Audit Committee ensures that the VP of Tech provides to the Board of Directors annual updates on our cybersecurity and information technology risk. These annual updates include topics related to our cybersecurity programs and mitigation strategies, trends in cybersecurity, and other cybersecurity-related developments. We may engage third-party advisors to monitor threats and to scan for vulnerabilities. When a cybersecurity threat or incident is identified by our third-party advisor, it is reported directly to our VP of Tech. The VP of Tech in conjunction with professionals throughout the organization, including information technology specialists, accountants, and lawyers, determine severity and response, then manage it to conclusion in accordance with our cybersecurity incident response processes. We may engage third party advisors as part of our incident response processes to assist with digital forensics among other efforts. The VP of Tech, together with the cross-functional team, report material or potentially material incidents to our executive leadership and the Audit Committee. The VP of Tech provides further updates regarding root causes and remediation efforts. In the event the Company determines it has experienced a material cybersecurity incident the Board of Directors is notified. In an effort to deter and detect cyber threats, we engage a third-party service provider to periodically provide all employees with a data protection and cybersecurity awareness training program, which covers timely and relevant topics, including phishing, password protection, confidential data protection, asset use and mobile security, and further educates employees on the importance of and process for reporting all potential incidents immediately. The Company continuously monitors the risk associated with its third-party service providers. The Company mandates that our key third-party service providers undergo an annual SOC 1 audit, which assist in identifying risks from cybersecurity threats. In cases where a waiver is granted, the Company ensures that alternative measures are in place to maintain rigorous oversight. The Company reviews all SOC1 audit reports to ensure our third-party service providers are maintaining adequate IT security and business process controls. This review process is part of our commitment to confirming that these third-party service providers are safeguarding our operations and data integrity. 25 We sustained a cybersecurity attack in May 2022 involving ransomware that caused a network disruption and impacted certain of our systems. Upon detection, we undertook steps to address the incident, including engaging a team of third-party forensic experts and notifying law enforcement. We restored network systems and resumed normal operations. The Company did not pay any ransomware and the attack did not materially affect the Company’s business strategy, results of operations, or financial condition. We have taken actions to improve our existing systems such as adding multi-factor authentication and to improve employee training and security competency. We have not identified any other cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Please refer to our R isk F actors in Item 1 A for more information on the risks associated with cybersecurity attacks.

Company Information