AEye, Inc. - (LIDR)
10-K Filing Date: March 27, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Information technology is important to our business operations and we are committed to protecting the privacy, security, and integrity of our data, as well as our employee, customer, and vendor data. Accordingly, we have established processes, procedures, and controls to identify, manage, assess, and mitigate material risks from cybersecurity threats, as well as identify, contain, and respond to cybersecurity incidents. These processes include, but are not limited to, monitoring and updating of our information technology and infrastructure to prevent, detect, address, and mitigate risks associated with unauthorized access, misuse, computer viruses, and other events that could have a security impact. Additionally, to protect and secure sensitive data, we employ multi-factor authentication, a suite of security tools, systems monitoring and alerting, audit logs, and controls across our major systems, devices, and business processes. We engage with external experts to evaluate and test our cybersecurity risk preparedness. Regular exams and threat and security assessments with these third parties ensure that our cybersecurity strategies align with industry best practices. To manage cybersecurity risks associated with third-party service providers, we impose security requirements upon our suppliers, including maintaining an effective security management program and notifying us in the event of any known or suspected cyber incident. We also conduct company-wide security awareness training periodically to provide employees the opportunity to gain an understanding of the various forms of cybersecurity incidents and enable our employees to handle and report the majority of suspicious activities or threats. We currently maintain a cyber insurance policy that provides coverage for security breaches; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks, or other related breaches.
As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity
42
threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, see the risk factor within Item 1A "Risk Factors" in this Annual Report on Form 10-K, entitled "We, as well as our suppliers and partners, are subject to cybersecurity risks to operational systems, infrastructure, integrated software in our lidar solutions, and the data processed by those solutions, and any material failure, weakness, interruption, cyber event, incident, or breach of security could adversely affect our business by causing a disruption of our operations, a compromise or corruption of our confidential or other business-critical information, and/or damage our business relationships, all of which could negatively impact our business financial condition, and operating results."
Cybersecurity Governance
Cybersecurity risks are among the enterprise risks that our Board of Directors oversees, primarily through delegation to the Audit Committee of the Board. The Audit Committee assists the Board in overseeing our privacy and information policies and reviewing our cybersecurity program. The Audit Committee engages with our management team, including our Director of IT and our Chief Financial Officer, and receives periodic reports on cybersecurity. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Board receives regular updates on the activities of the Audit Committee, including with regard to cybersecurity oversight. These cybersecurity reviews by the Audit Committee or Board of Directors generally occur at least once annually, or more frequently as determined to be necessary.
The day to day operations of our cybersecurity risk management program are overseen by our Director of IT, who reports to our Chief Financial Officer. Our Director of IT has served in this position for 5 years. He has over 38 years of IT experience, including over 10 years of experience in security compliance. Our Director of IT supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal personnel, threat intelligence, alerts, or reports produced by security tools deployed in the IT environment.