ASTRONICS CORP - (ATRO)

10-K Filing Date: March 04, 2024
ITEM 1C. CYBERSECURITY
We recognize the critical importance of assessing, identifying, and managing material risks associated with cybersecurity threats. Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats, effective management of security risks, and resiliency against incidents. This strategy is supported by both management and our Board of Directors.
We continuously strive to surpass industry best practices by implementing robust risk-based controls aimed at safeguarding both our partners’ and the Company’s information systems. In order to protect both commercial and defense-related businesses and support our production operations, the Company has adopted security principles in accordance with the National Institute of Standards and Technology Cybersecurity Framework, contractual requirements and other global standards. We conduct comprehensive annual security assessments, including external and internal penetration tests, social engineering attacks, and vulnerability assessments. These assessments provide critical insights into our security posture and help us identify and address potential weaknesses proactively. Leveraging the expertise of multiple vendors, we ensure a thorough evaluation from diverse perspectives, enhancing the effectiveness of our security measures. Furthermore, as we implement solutions, we engage with industry-leading partners to receive guidance on best practices for solution use and overall security. This collaboration ensures that our cybersecurity strategies align with the latest industry standards and best practices. We also maintain regular communication with external partners to stay abreast of current cybersecurity trends and emerging threats. This proactive approach enables us to continuously enhance our security posture and adapt our defenses to evolving cyber risks.
The Company’s Director of Information Technology (“IT”), who reports to our CFO, has over 20 years of experience leading cyber security oversight and is responsible for management of cybersecurity risk and the protection and defense of our networks and systems. Our IT security team, lead by the Director of IT, consists of professionals with broad cybersecurity experiences, including a number of cybersecurity certifications and degrees. Our cybersecurity initiatives benefit from a wealth of practical knowledge and strategic insight. The IT security teams’ comprehensive understanding of industry best practices, combined with hands-on experience in implementing cybersecurity solutions, ensures that our networks and systems are effectively protected against emerging threats. As a result, cybersecurity remains a top priority across the organization, with resources allocated efficiently to mitigate risks and enhance our overall security posture.
The Board of Directors oversees an enterprise-wide approach to risk management, designed to support the achievement of organizational objectives, including strategic objectives, to improve long-term organizational performance and enhance shareholder value. The Director of IT provides a report to the Board of Directors on an annual basis, or more frequently as needed, with respect to information security activity, security assessments, controls and investments.
We have a set of Company-wide policies and procedures concerning cybersecurity matters. The Company’s Incident Management Policy provides a framework for reporting and managing security incidents affecting the Company’s information and business computing devices and systems, losses of information, and information security concerns. All users, including employees, contractors, consultants, suppliers, customers, government, and all personnel affiliated with third parties that perform work for the Company, are obligated to report information security incidents in order to mitigate the consequences and reduce the risk of future breaches of security. Our incident response process consists of several principal steps, including 1) preparation for a cybersecurity incident, 2) detection of a security incident and assignment to the appropriate IT personnel, 3) identification and preservation of evidence, and 4) risk assessment. Depending on the nature and severity of an incident, notifications are escalated to our CEO and the Board of Directors and, if determined to be material, externally. The incident management process is overseen by the Director of IT. The Company maintains additional policies that directly or indirectly relate to cybersecurity, such as policies related to encryption standards, mobile devices and data destruction. These policies go through an internal review process and are approved by appropriate members of management.
Our IT security team reviews enterprise risk management-level cybersecurity risks annually. The following key risk elements are evaluated:
Insiders – Whether intentional or unintentional, individuals within our Company may cause damage to our systems. We have processes in place to seek to mitigate these threats, including but not limited to controls over access to our systems and access to network resources.
External threats – We recognize the risk that hackers, vandals, and saboteurs may seek to gain access to information contained in our systems. We employ multi-layered defense and continuous monitoring to seek to mitigate the risk associated with these threats. The Company also conducts regular periodic training of its employees as to the protection of sensitive information which includes security awareness training intended to prevent the success of “phishing” attacks.
18


Third-party risks – We also consider and evaluate cybersecurity risks associated with use of third-party service providers. User access to third-party systems is reviewed annually, and we obtain and review a System and Organization Controls (SOC) 1 or SOC 2 report from key third-party service providers.
Key cybersecurity risks and mitigating responses are addressed within our Company-wide policies.
While we have experienced cybersecurity incidents in the past, to date none have materially affected the Company or our financial position, results of operations and/or cash flows. However, the risks from cybersecurity threats and incidents continue to increase, and the preventative actions we have taken and continue to take to reduce the risk of cybersecurity threats and incidents may not successfully protect against all such threats and incidents. We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see Item 1A, Risk Factors, under the heading “Our business and operations could be adversely impacted in the event of a failure of our information technology infrastructure or adversely impacted by a successful cyber-attack.”