AAON, INC. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

AAON, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 07:05:43 EST.

Filings

10-K filed on 2025-02-27

AAON, INC. filed a 10-K at 2025-02-27 07:05:43 EST
Accession Number: 0000824142-25-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Cybersecurity risk management and strategy We maintain various information security processes designed to identify and manage material risks from cybersecurity threats to our computer networks, third-party hosted services, communications systems, hardware and software, and data, including personal data, intellectual property and confidential information that is proprietary, strategic or competitive in nature. Our cybersecurity function includes representatives from information technology, engineering, information security, legal, impacted business units or products and other departments as applicable and help identify, assess and manage the Company’s cybersecurity threats and risks. The management team is responsible for identifying, assessing and managing cybersecurity risks by monitoring and evaluating potential threats using various methods including, for example, manual and automated tools such as vulnerability scans, penetration tests and system configuration reviews; conducting risk assessments and internal and external audits; and conducting tabletop incident response exercises. We implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage risks from cybersecurity threats to our systems, including, for example: (1) having an information security incident response plan; (2) maintaining a disaster recovery plan, business continuity program, vulnerability management process and vendor risk management process; (3) conducting periodic risk assessments and employee training on cybersecurity; (4) maintaining security controls in alignment with industry standard security frameworks like National Institute of Standards and Technology (“NIST”) and Center for Internet Security (“CIS”); (5) encrypting and segregating data, having network security controls, access controls, monitoring systems, managing assets and conducting penetration testing; and (6) maintaining cybersecurity insurance. Our assessment and management of risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of the Company’s enterprise risk management program in concert with the audit committee and board of directors; (2) our information security team works with our management team in an effort to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business; (3) our information 16 security and management team evaluates material risks from cybersecurity threats against our overall business objectives and reports to the audit committee for further communication as required, to evaluate our overall enterprise risk. We use third-party service providers to assist us in identifying potential risks from cybersecurity threats. For example, these service providers include professional services firms, managed cybersecurity service providers, penetration testing firms and forensic investigators. We have a vendor management process designed to manage cybersecurity risks associated with our use of these providers. This process includes risk assessments, security questionnaires, review of vendor security programs, review of available security assessments, reports, and audits. For more information about cybersecurity risks, see the Risk factors discussion in Item 1A of this Form 10-K. Governance of cybersecurity risk management The Board of Directors has oversight responsibility for our strategic and operational risks. The audit committee assists the board of directors with this responsibility by reviewing and discussing our risk assessment and risk management practices, including cybersecurity risks, with members of management. The audit committee, in turn, periodically reports on its review with the board of directors. Management is responsible for day-to-day assessment and management of cybersecurity risks. The Company officer with oversight of Information Technology (“IT”) has primary oversight of material risks from cybersecurity threats. Through November 2024, our Chief Information Officer was responsible for IT and had more than 25 years of experience across various engineering, business and management roles, including leading the development and implementation of information technology strategies and roadmaps for manufacturing automation. After the departure of our Chief Information Officer, our Vice President of Administration has responsibility and oversight for IT. Management assesses our cybersecurity readiness through internal assessment tools as well as third-party control tests, vulnerability assessments, audits and evaluation against industry standards. We have governance and compliance structures that are designed to elevate issues relating to cybersecurity to Management, such as potential threats or vulnerabilities. We also employ various defensive and continuous monitoring techniques using recognized industry frameworks and cybersecurity standards. Our information security incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances. The incident response team works with the Company’s management team to help mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s information security incident response plan includes reporting to the board of directors for certain cybersecurity incidents. Management meets with the audit committee periodically to review our information technology systems and discuss key cybersecurity risks. In addition, the Chief Financial Officer reviews with the audit committee at least annually our risk management program, which includes cybersecurity risks and is also reported to the board .

Company Information