BUTLER NATIONAL CORP 10-K Cybersecurity GRC - 2024-07-23

Page last updated on July 23, 2024

BUTLER NATIONAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-23 15:40:32 EDT.

Filings

10-K filed on 2024-07-23

BUTLER NATIONAL CORP filed a 10-K at 2024-07-23 15:40:32 EDT
Accession Number: 0001437749-24-023270

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy The Company maintains cybersecurity processes, technologies and controls to help it assess, identify and manage material risks from cybersecurity threats. These processes, technologies and controls are part of the Company’s overall enterprise risk management process. Our cybersecurity program is based on the National Institute of Standards and Technology Cybersecurity Framework and is designed to ensure that our information systems are effective and are prepared for cybersecurity threats, including through regular oversight and mitigation of internal and external threats. As a U.S. defense subcontractor, we are additionally obligated to comply with Department of Defense regulations such as Defense Federal Acquisition Regulation Supplement. The Company utilizes existing employees and contracts with third party firms to evaluate our information security program, for continuous system monitoring and threat detection, to gather insights for identifying and assessing material cybersecurity threats, and for potential mitigation assistance. We conduct cybersecurity assessments using third-party service providers, and we require them to promptly notify the Company of any cybersecurity risks, threats or incidents that might impact us. The Company has an established cybersecurity and information security awareness training program that includes mandatory annual training and regular communications for our employees regarding cybersecurity threats and methods of mitigation. There can be no guarantee that our policies and procedures will be effective. Although our risk factors include further detail about the material cybersecurity risks we face, we believe that risks from cybersecurity threats have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations or financial condition. For more information about the cybersecurity risks we face, see the risk factor entitled " Cyber security attacks, internal system or service failures, and misappropriation of data or other breaches of information security may adversely impact our business and operations " in Item 1A. Risk Factors. Governance Management is responsible for the day-to-day assessment and management of cybersecurity risks. Cybersecurity measures that pertain specifically to Company’s Boot Hill subsidiary have been delegated to Boot Hill’s Board of Managers, a committee comprised of directors and officers of the Company and officers of Boot Hill. This committee is responsible for ensuring compliance with Kansas Racing and Gaming Commission regulations. The Board of Directors has oversight responsibility for the Company’s strategic and operational risks. The Board has delegated oversight responsibility for certain risks to its committees, including delegation to the Board’s Nominating and Governance Committee oversight of the Company’s major non-financial reporting enterprise risk assessment and management processes not retained by the Board. However, given the broad and important role of cybersecurity oversight, the Board has determined that oversight for cybersecurity should remain with the full Board. The Board routinely receives reports from the Company’s Chief Executive Officer, with the assistance of the Company’s IT department, concerning the Company’s cybersecurity risk management and strategies and related processes, technologies and controls.

Company Information