Blue Bird Corp 10-K Cybersecurity GRC - 2024-11-25

Page last updated on November 26, 2024

Blue Bird Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-25 16:30:43 EST.

Filings

10-K filed on 2024-11-25

Blue Bird Corp filed a 10-K at 2024-11-25 16:30:43 EST
Accession Number: 0001589526-24-000119

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Definitions The SEC defines several key terms included in the below cybersecurity discussion as follows: Information systems are electronic information resources, owned or used by a registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations. A cybersecurity threat is any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. A cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. Risk Management and Strategy We have developed and implemented a cybersecurity risk management program that is designed to safeguard the confidentiality, integrity, and availability of Company electronic information. The Company’s cybersecurity risk management program is integrated into the overarching enterprise risk management program to ensure that cybersecurity risk is properly mitigated. Crucial parts of the Company’s cybersecurity risk management program include the following: - Regular vulnerability scans, penetration tests and risk assessments designed to identify weaknesses in the Company’s systems and processes. - A Business Impact Analysis and Business Continuity Plan to identify potential threats, their potential impact on the business, and plans to respond, communicate and continue operations. - An Incident Response Plan that includes detailed procedures for detecting, reporting and addressing security incidents in an organized and effective manner. - A Disaster Recovery Plan that details the steps we must take to respond and recover from a disaster event. - A Third-Party Risk Management Program that identifies and reduces risks presented by vendors and suppliers. - The development and maintenance of a Cybersecurity Risk Register to identify and monitor security risks and treatment plans. 26 We utilize a third-party cybersecurity consulting firm that provides strategic and tactical security support, including, but not limited to, a Virtual Chief Information Security Officer (“vCISO”). The vCISO works with and provides strategic guidance to the Vice President of Information Technology, including preparing and/or presenting key information to the Company’s Audit Committee or Board or Directors, as necessary. To date, there have been no risks identified from cybersecurity threats, including as a result of cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations, financial condition or cash flows. Governance The Board of Directors has oversight responsibility for cybersecurity risks to the Company. It is informed of the status of the cybersecurity risk management program at least quarterly and is briefed on strategic objectives and high priority risks and incidents as they arise. The Audit Committee oversees management’s implementation of our cybersecurity risk management program. The Audit Committee also receives quarterly reports from various members of management, including information technology and security specialists, on the state of the cybersecurity risk management program. The periodic updates include, but are not limited to, strategic objectives, key initiatives, key metrics, and noteworthy cybersecurity risks. In addition, management will update the Audit Committee regarding any significant cybersecurity incidents in a timely manner. A Cybersecurity Materiality Assessment Committee has been formed to review material cybersecurity risks and threats and determine materiality criteria and thresholds for incidents. This committee is comprised of senior management from multiple departments including legal, information technology, security, human resources, finance and more. The Vice President of Information Technology, responsible for the development of the cybersecurity risk management program, has extensive experience across information technology within the automotive manufacturing industry. The security team provided by the cybersecurity consulting firm contracted by the Company has a wide breadth of expertise across core cybersecurity disciplines including governance, risk, compliance, and security architecture and engineering. This security team has combined experience exceeding 30 years and numerous industry recognized security certifications. The vCISO, who is responsible for the oversight of, and strategic guidance for, the security team, has over 20 years of related experience and is a Certified Information Security Manager and a Certified Information Systems Security Professional. To support these efforts, we follow the guidance of numerous security agencies, industry resources and frameworks, including, but not limited to, the Center for Internet Security Critical Security Controls v8 and the NIST Cybersecurity Framework. A comprehensive library of policies and procedures has been developed leveraging security best practices and industry standards to define the security program. In addition, a cybersecurity roadmap has been developed and is maintained to execute on the strategic plan and expand and mature the overall program.

Company Information