Volato Group, Inc. - (SOAR)
10-K Filing Date: March 26, 2024
ITEM 1C. CYBERSECURITY
CYBERSECURITY
Governance
The Company has multi-layer processes to assess, identify, manage and mitigate material risks from cybersecurity threats.
Members of senior leadership, including the Volato Group Board (“Board”), assesses potential material risks to the business and the Company’s ability to meet strategic priorities, including risks from cybersecurity threats. The Company’s senior leadership receives updates from relevant functional heads or other subject matter specialists on these potential material risks as well as the processes or other steps being taken to manage or mitigate the risks. The senior leadership team includes senior leaders in areas of importance to Company priorities. The Company’s senior leadership assesses and prioritizes risk based on impact to shareholders, operations, and strategic priorities, among other factors. Members of senior leadership discusses enterprise risks and compliance programs with the Audit Committee of the Board. The Audit Committee makes reports to the Board, who also receive updates from members of senior management on material risks to the Company.
Risk Management and Strategy
The Chief Technology Officer (“CTO”) oversees the Company’s information security program and is responsible for the day-to-day information risk management activities through the internal information technology team, and outside resources. The CTO, who has 32 years of Information Technology (“IT”) and IT security experience, employs a team of information technology experts, including a Director of IT who is further supported by other members of the IT and technology department.
We have developed and implemented cybersecurity and data privacy processes and procedures that are informed by recognized cybersecurity frameworks and standards, including Microsoft Azure CSPM and SOC 2. We use this framework, together with information collected from periodic manual assessments and automated testing, to tailor aspects of our cybersecurity practices given the nature of our assets, operations and business. The Company’s processes to assess, identify and manage material risks from cybersecurity threats include, but are not limited to, the following:
•The members of the information technology team actively monitor threats to the information technology environment. They work with a third party to provide additional 24/7 monitoring of cyber threats. These internal and external cybersecurity teams are empowered to contain network access through various application controls. Structural protections are also in place to mitigate risks of end point failures and provide for continuity of operations.
•The Company uses various systems to manage threats, for example, firewall protections, anti-virus protections, vulnerability scans, among others. Such systems are regularly reviewed for adequacy and potential enhancements.
•The Company employs an information security and training program for our employees, including regular internal communications and ongoing end-user testing to measure the effectiveness of our information security program.
•The Company utilizes a third-party service that provides real-time threat intelligence feeds and global threat data to enhance threat detection capabilities and proactively defend against emerging cyber threats.
•We monitor the location of our geographic location of data sent to third party systems.
In 2023, we conducted an enterprise risk assessment that included an assessment of cybersecurity risk in context with other enterprise-level risks. For additional information regarding potential cybersecurity risks, see relevant business and operational risks under Item 1A, "Risk Factors", of this Annual Report on Form 10-K.
In the last three years, we have not experienced a material information security breach incident, or any penalties or settlements related to the same, and the expenses we have incurred from information security breach incidents were immaterial.
38