AerSale Corp - (ASLE)

10-K Filing Date: March 08, 2024
ITEM 1C CYBERSECURITY

Cybersecurity Risk Management and Strategy

AerSale has developed and implemented a comprehensive cybersecurity risk management program for identifying, assessing, and managing material risks to protect the confidentiality, integrity and availability of critical systems and information relevant to our business. Our program utilizes a risk-based approach and is designed based on various cybersecurity frameworks, such as the National Institute of Standards and Technology (“NIST”), and the Center for Internet Security (“CIS”), and shares common methodologies, reporting channels, and governance processes that apply across all areas of our enterprise risk management, including legal, compliance, operational, and financial risks.

AerSale’s comprehensive cybersecurity risk management program includes, among others:

a security awareness training agenda with topics relating to phishing, spams, viruses, insider threats, suspicious activity and procedures to escalate them, as well as other safety concerns. Certain training programs are employee targeted based on their individual job responsibilities and on the potential risks associated with such roles.
internal and external assessments, including audits and response simulations, to examine cybersecurity vulnerabilities and potential attack vectors to company systems, as well as evaluating the impact of these vulnerabilities in our operational and financial posture.
processes to identify and respond to material cybersecurity risks from third party service providers, and risk mitigation policies to reduce exposure to such risks.
a cybersecurity incident response plan that includes procedures for responding to cybersecurity threats or incidents.
when appropriate, use of external subject matter specialists, including assessors, consultants, auditors or other third parties, to provide incident response services and to conduct independent assessments of internal response readiness.
engagement in security practices that include physical, administrative and technical safeguards of systems and hardware.

We are not aware of any risks from cybersecurity threats, including any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cybersecurity incident would not materially affect our business strategy, results of operations or financial condition. See “Risks Related to AerSale’s Business and Industry—Our business could be negatively affected by cyber or other security threats or other disruptions” in “Risk Factors” on page 13 of this Form 10-K.

30

Cybersecurity Governance

Our Board of Directors has overall responsibility for risk oversight, and has delegated the responsibility of cybersecurity and other information technology related risks to the Audit Committee of the Board of Directors, which oversees the implementation and continuous improvement of our comprehensive cybersecurity risk management program and compliance with disclosure requirements. The Audit Committee is provided with information, results of internal and external assessments, and updates on cybersecurity initiatives at Audit Committee meetings from our Chief Information Officer, and is responsible for reporting any findings and recommendations to the Board of Directors for consideration. Our team of cybersecurity professionals is led by our Chief Information Officer, a seasoned technology executive with over 20 years of experience in the cybersecurity field, a strong focus on systems and security, and a proven track record of leading cyber experts to protect organization from evolving threats. The cybersecurity team has the primary responsibility for AerSale’s comprehensive cybersecurity risk management program, and supervises internal personnel as well as external cybersecurity consultants. Our processes are designed to prevent and monitor cybersecurity incidents, allowing us to timely detect and respond to incidents through our cybersecurity response plan, which includes materiality evaluations based on the size and scope of the incident. This evaluation is documented in an incident report that is shared with the Chief Information Officer, Chief Financial Officer and Audit Committee to effectively manage resources to reduce risk and prevent future incidents.