WILLIS LEASE FINANCE CORP - (WLFC)

10-K Filing Date: March 15, 2024
ITEM 1C. CYBERSECURITY

The Company has policies, controls, and procedures in place for assessing, identifying, and managing material risks from cybersecurity threats, including, but not limited to:

Reviewing financial reporting systems and subsystems to ensure that access is limited to approved users;

Reviewing data recorded, processed, and reported to ensure that the data remains complete, accurate, and valid;
Conducting regular network and endpoint monitoring and vulnerability assessments to improve our information systems;

Reviewing system changes of financial reporting significance to ensure that they have been authorized and appropriately tested before being moved to production;

Monitoring and identifying cybersecurity threats in connection with the use of third-party providers;

Responding to and remediating any incident of damage or interruption to our information technology systems, including cyberattacks, internally and through the use of third-party providers as necessary;

Carrying information security risk insurance that provides protection against potential losses arising from a cybersecurity incident; and

Requiring regular cybersecurity training programs for employees, management, and directors.

These approaches vary in maturity across our business, and we work to continually improve them.

The Company’s Board of Directors and management have discussions to stay vigilant and engaged as it relates to cyber exposures, risk management strategy, monitoring, and cyber-incident response and recovery plans. Members of the Board of Directors have access to, and relationships with, cybersecurity experts in the organization, including the Company’s Head of Information Technology, who has extensive experience in network operations and an understanding of cybersecurity. Additionally, as the dynamic cybersecurity environment is continuously evolving, management has periodic meetings with our cybersecurity insurance providers to reevaluate the Company’s cybersecurity risks and related information technology resiliency. The Board of Directors shall be informed of any material information technology breaches that the Company has experienced in a timely manner.

22