Wheels Up Experience Inc. - (UP)
10-K Filing Date: March 07, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Company’s cybersecurity risk management practices are intended to assess, identify and manage risks from threats to the security of our information, systems, products and network. We have developed and implemented cybersecurity and data privacy processes and procedures that are informed by recognized cybersecurity frameworks and standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and International Organization for Standardization 27001 (ISO 27001) Framework. We use these frameworks, together with information collected from assessments, to tailor aspects of our cybersecurity and data privacy practices given the nature of our assets, operations and business. Key features of our cybersecurity and data privacy processes and procedures include the following:
•Risk-based controls for information systems and information on our networks: We seek to maintain an information technology infrastructure that implements controls that are tailored based on risk and designed to protect the confidentiality, integrity and access to our information systems and information stored on our networks, including member, customer and employee information, intellectual property and proprietary information. We employ in-depth defense mechanisms throughout our enterprise, including, but not limited to, employee training, vulnerability management, multi-factor authentication, cybersecurity insurance and managed security services to monitor, mitigate and/or prevent cybersecurity incidents.
•Cybersecurity incident management and response: We have a cybersecurity incident response plan and specified teams to respond to cybersecurity incidents. When a cybersecurity incident occurs or we identify a vulnerability, our cross-functional teams lead the initial assessment of priority and severity, and external experts may also be engaged as appropriate. Our cybersecurity teams assist in responding to incidents depending on severity levels and seek to improve our cybersecurity incident management plan through periodic simulations of common incidents. Further, we work closely with our external managed security services experts to provide ongoing monitoring and to augment our internal cybersecurity team with incident management and response specialists.
•Cybersecurity awareness and training: Our employees are required to complete security awareness training and a compliance course annually, which we believe helps our employees understand their information protection and cybersecurity responsibilities. We also provide additional training to certain employees in accordance with member or customer requirements and regulatory obligations. Further, we regularly communicate with employees about evolving cybersecurity trends through company-wide cybersecurity alerts, which heightens awareness of cybersecurity events that may be impacting our business, peers and industry.
•Our assessments of third parties: We have implemented a third-party risk management process that includes, among other things, periodic cybersecurity assessments on certain third parties on which we rely based on an assessment of their risk profile. We also seek contractual commitments from third parties to satisfy our cybersecurity and data privacy requirements, and require third parties to maintain their information technology systems and protect Wheels Up information that is processed on their systems.
•Third-party assessments of Wheels Up: We have engaged third-party cybersecurity companies to periodically assess our cybersecurity and data privacy processes and procedures, and to assist in identifying and remediating risks from cybersecurity threats. Our third-party assessors regularly conduct penetration
44
testing and measure our processes, procedures and responses against industry standard frameworks. We use the results of these periodic assessments to implement programmatic changes and continuous improvements in alignment with business requirements, industry standards and regulatory requirements.
We believe our cybersecurity risk management practices are an important part of our enterprise risk management processes, and must be continuously updated and improved. As of the date of this Annual Report, we have not identified material risks from known cybersecurity threats, including as a result of any past cybersecurity incidents, since the beginning of the last full fiscal year that have materially affected the Company, including our business strategy, results of operations or financial condition. See Part I, Item 1A “Risk Factors—Risks Relating to Technology, Cybersecurity and Data Privacy” for more information about cybersecurity and data privacy risks.
Governance
The Board, the Audit Committee and management each actively assess the Company’s cybersecurity and data privacy risk management practices with the goal of being proactive rather than reactive. The Board and the Audit Committee regularly review the Company’s cybersecurity and data privacy risks, including our policies, controls and procedures for identifying, managing and mitigating such risks. The Audit Committee receives periodic reports from our Chief Information Security Officer (“CISO”) and other members of management to the extent their relevant areas are impacted, regarding cybersecurity and data privacy measures and procedures, the identification of security gaps and compliance with applicable cybersecurity and data privacy regulations. The Audit Committee then briefs the Board at scheduled meetings about cybersecurity and data privacy developments.
Management is responsible for day-to-day monitoring of the prevention, detection, mitigation and remediation of cybersecurity incidents. Our CISO, who reports to our Chief Digital Officer, has primary oversight of material risks from cybersecurity and data privacy matters. Our CISO has more than 25 years of experience across various information technology, information security and management roles, including leading the development and implementation of cybersecurity and data privacy strategies for the member and customer-facing aspects of our business. In addition, our CISO holds degrees in Engineering Technology and Information Systems and Technology, and industry certifications awarded by the International Information System Security Certification Consortium (ISC2); Certified Information Systems Security Professional (CISSP), and Information Systems Security Engineering Professional (ISSEP).
Our CISO supervises a team of cyber risk architects, engineers and managers who actively work to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means. Our cyber risk team collaborates with internal stakeholders to identify and analyze cybersecurity risks to the Company, implement appropriate controls and enable leaders to make risk-based business decisions that implicate cybersecurity considerations. Our CISO also reports on our cybersecurity and data privacy processes, procedures and risks to our executive management team when changes or risks are expected to impact other portions of the business, including with respect to the Wheels Up mobile app, website and proprietary pricing algorithms.