Air Transport Services Group, Inc. - (ATSG)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Our management team views cybersecurity risk management as an important strategic topic. Our cybersecurity strategy utilizes the cybersecurity framework developed by the National Institute of Standards and Technology (“NIST CSF”). The NIST CSF is a voluntary framework of practices to identify, protect, detect, respond to, and recover from cybersecurity risks. Using the NIST CF does not mean that we meet any particular technical standards or certifications, but rather that we use the NIST CSF to help us identify, assess, and manage cybersecurity risks relevant to our business. Using the NIST CSF, we form our cybersecurity plans and prioritize our activities using a risk-based approach which begins with the identification and evaluation of cybersecurity risks and threats that could disrupt our operations, safety procedures and regulatory compliance. Cybersecurity risks and related mitigation efforts are prioritized based on their potential impact severity, likelihood and vulnerability. Risk mitigation strategies include the application of cybersecurity policies and procedures, implementation of technology-based tools and controls, as well as employee training, education, and awareness initiatives. Our cybersecurity risk management includes ongoing monitoring of networks and systems for potential signs of suspicious activity. We track key performance indicators and cybersecurity metrics to evaluate the effectiveness of our cybersecurity safeguards and practices.
We rely increasingly on software applications, data transmissions and cybersecurity safeguards provided by or in conjunction with third parties to maintain our cybersecurity posture and evolve with the threat environment. We engage third party resources to assess our procedures, test safeguards, provide training and monitoring, and assess our vulnerabilities. We evaluate third party service providers from a cybersecurity risk perspective, which may include an assessment of that service provider’s cybersecurity posture and data security standards.
ATSG management has overall responsibility for assessing and managing risks from cybersecurity threats to our operations. Management has a supervisory team that consists of the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Vice President and Controller, and the Vice President of Information Technology, which meets regularly. The Vice President of Information Technology has primary responsibility for the execution of our cybersecurity risk management program and keeps the broader team informed about the detection, mitigation, and remediation of cybersecurity risks and incidents. The Vice President of Information Technology and the Company's other information technology and security department personnel include individuals with advanced university degrees in cybersecurity and years of technology management experience in matters such as conducting threat assessments, cyber mitigation and incident response.
26


While the Board has the primary responsibility for risk oversight, the Audit Committee assists the Board in fulfilling its oversight responsibility with respect to the management of cybersecurity-related risks. Through its Cybersecurity Subcommittee, the Audit Committee periodically reviews and discusses with management, including the Vice President of Information Technology, (i) the Company’s information security strategy, priorities and objectives; (ii) the Company’s technology and information security risks, including with respect to cybersecurity and data privacy; and (iii) the steps management has taken to manage cybersecurity.
We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or that are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, the nature of potential cybersecurity risks and threats are uncertain, and any future incidents, outages or breaches may materially affect our business strategy, results of operations or financial condition. For additional discussion of potential risks regarding cybersecurity, please see the information contained in Risk Related to Business Interruptions and Cybersecurity Incidents in Part 1A of this Form 10-K.