Sky Harbour Group Corp - (SKYH)

10-K Filing Date: March 27, 2024
ITEM 1C.

CYBERSECURITY

 

Cybersecurity represents a critical component of our overall approach to risk management. Our cybersecurity policies, standards and practices are fully integrated into our enterprise risk management (“ERM”) approach, and cybersecurity risks are among the core enterprise risks that are subject to oversight by our Board. Our cybersecurity policies, standards and practices follow recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. We generally approaches cybersecurity threats through a cross-functional, multilayered approach, with specific the goals of: (i) identifying, preventing and mitigating cybersecurity threats to us; (ii) preserving the confidentiality, security and availability of the information that we collect and store to use in our business; (iii) protecting our intellectual property; (iv) maintaining the confidence of our tenants, vendors and airport partners; and (v) providing appropriate public disclosure of cybersecurity risks and incidents when required.

 

Risk Management and Strategy

 

Consistent with overall ERM policies and practices, the Company’s cybersecurity program focuses on the following areas:

 

 

we maintain cybersecurity threat operations with the specific goal of identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established incident response plans;

 

 

we deploy systems safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through ongoing vulnerability assessments and cybersecurity threat intelligence;

 

 

we utilize collaboration mechanisms established with other entities, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks;

 

 

we maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems;

 

 

we provide periodic training and education for personnel regarding cybersecurity threats, which reinforces our information security policies, standards and practices, and such training is scaled to reflect the roles, responsibilities and information systems access of such personnel;

 

 

we have established and maintain comprehensive incident response plans that fully address our response to a cybersecurity incident and the recovery from a cybersecurity incident, and such plans are evaluated on an regular basis;

 

 

we utilize a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from our technology, operations, legal, finance and other key business functions, as well as the members of the Board and the Audit Committee in an ongoing dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds so that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner; and

 

 

the Board’s oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with the Company’s Chief Financial Officer, Chief Accounting Officer, other members of management.

 

31

 

Governance

 

The Board, in coordination with the Audit Committee, oversees the management of risks from cybersecurity threats, including the policies, standards, processes and practices that our management implements to address risks from cybersecurity threats. The Board and the Audit Committee each participate in relevant discussions on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. The Board and the Audit Committee would also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed, to the extent applicable.

 

Our Director of Information Technology is principally responsible for overseeing our cybersecurity risk management program, in partnership with other members of our management team. The Director of Information Technology works in coordination with the other members of our cybersecurity committee, which includes our Chief Financial Officer, Chief Accounting Officer and In-house Counsel. Our Director of Information Technology has served in various roles in information technology and information security for over 26 years. Our Director of Information Technology, in coordination with our cybersecurity committee, works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. Through the ongoing communications with our organization, the Director of Information Technology and the cybersecurity committee monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and report such incidents to the Audit Committee when appropriate.

 

© 2024 Material-Incidents. All rights reserved.