Eve Holding, Inc. - (EVEX)

10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity


Risk Management and Strategy

 

We are subject to a broad range of cybersecurity threats, with varying levels of sophistication. These cyber threats are related to the confidentiality, availability and integrity of our systems and data.

 

56

 

As an indirect subsidiary of ERJ, the Company falls within ERJ’s IT ecosystem and has adopted ERJ’s processes and mechanisms for the assessment, identification and management of risks arising from cybersecurity threats. These processes and mechanisms are based on best practices (such as NIST 800 Special Publication and ISO 27001/2) and undergo periodic reviews to enhance their ability to spot, control, and respond to potential cybersecurity threats. In addition, as part of ERJ’s IT ecosystem, the Company has access to third-party cybersecurity firms and independent auditors to assist in assessing its cybersecurity controls and procedures. The Company conducts security assessments, vulnerability management, penetration testing, security audits, and ongoing risk assessments, and maintains incident response plans to be utilized in the event that an incident is detected.

 

Certain of our business partners, such as our suppliers, have access to limited confidential and other sensitive information of ours. The Company follows a third-party cybersecurity risk management process, developed by ERJ, which is designed to help oversee and identify risks from cybersecurity threats associated with the use of third-party service providers.

 

To date, we are not aware of any risks from cybersecurity threats, including as a result of any previous known cybersecurity incidents, that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our efforts to ensure the integrity of our computer systems, software, networks, and other technology assets, we may not be able to anticipate, detect, or recognize threats to our systems and assets, or to implement effective preventive measures against all cyber threats, especially because the techniques used are increasingly sophisticated, change frequently, are complex, and are often not recognized until launched. For additional information on cybersecurity risks, see the risk factors “We are subject to cybersecurity risks to our operational systems, security systems, infrastructure, integrated software in our aircraft and customer data processed by our third-party vendors” and “If we or our third-party service providers experience a security breach, or if unauthorized parties otherwise obtain access to our customers’ data, our reputation may be harmed, demand for services may be reduced, and we may incur significant liabilities” in Part I, Item 1A of this Form 10-K.

 

Governance

 

We have developed and continue to enhance our cybersecurity governance program to help identify and assess material risks from cybersecurity threats.

 

Our management team, with involvement and input from our Board of Directors and the Audit Committee, performs enterprise risk assessments annually, or as needed, to help identify and manage key existing and emerging enterprise risks for the Company. Our enterprise risk assessment process seeks to identify both the potential impacts to Eve of a particular risk, and its probability to materialize. Our management team has the overall responsibility for, and oversight of, our Enterprise Risk Management (“ERM”) process, monitoring and managing each of the identified risks, and cybersecurity is among the risks identified and presented to the management team in connection with ERM risk assessments. ERJ’s Chief Information Security Officer (“CISO”) is primarily responsible for the assessment and management of cybersecurity risks. ERJ’S CISO has several years of experience in information security and possesses the requisite education, skills and competence expected of an individual assigned to these duties.

 

Our Audit Committee is responsible for overseeing our policies, practices, and assessments with respect to risks, such as cybersecurity. Following an ERM risk assessment, any risks identified, including cybersecurity, are presented to the Audit Committee by the management team, with the strategic guidance of the CISO. The Audit Committee makes recommendations to the Board of Directors for cybersecurity risks identified. The Board of Directors and the Audit Committee receive updates throughout the year on enterprise risks, including cybersecurity matters.