Archer Aviation Inc. - (ACHR)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
We understand the importance of maintaining an active cybersecurity risk management and strategy program. As an emerging technology company, we understand that we may face cyber threats that range from common cyberattacks, such as ransomware, to more advanced attacks such as advanced persistent threats perpetrated by nation-state actors and other highly organized actors. Our cybersecurity risk management program is guided by industry standards, such as the National Institute of Standards and Technology (“NIST”). We strategically partner with industry leading external vendors to perform cybersecurity assessments, as well as regular penetration testing to better understand our potential vulnerabilities, threat vectors, and impact on critical assets or operations. As part of these processes, our cybersecurity team identifies and prioritizes risks to devise our annual cybersecurity mitigation strategy and address operational risks. Our cybersecurity program is organized around the following key areas:
Risk Management and Strategy
Insider Risk Management. We recognize that not all threats are external. We have an insider risk management program and are working to improve our data loss protection technology to protect our critical data.
Security Awareness Education. Understanding the need for regular cybersecurity training, we have instituted a mandatory training program for all employees.
Technical Safeguards. We have improved our endpoint security postures through the implementation of an Enterprise Mobile Management system, and continue to increase our investment in strengthening email, DNS, and other network security services.
Threat Detection and Response. In addition to aligning our cybersecurity risk management program to NIST standards, we have also engaged with third party providers of security information and event management and cybersecurity services to provide continuous monitoring and operational threat detection and response. Our partners integrate threat intelligence into their platforms, providing us with a proactive view of possible threats.
Incident Response. We have implemented a holistic review of incident response, with workflows in place for cybersecurity incidents, including provisions for assessing materiality, and defined escalation procedures.
Third Party Risk Management. To manage third-party risks, our cybersecurity team evaluates our partners, to provide an additional layer of scrutiny, and supervises and identifies material risks associated with the use of third-party service providers. These processes include a review of security controls and supplier contractual obligations for security and data protection requirements.
Governance
Our Audit Committee is primarily responsible for assisting our Board of Directors in fulfilling its ultimate oversight responsibilities relating to risk assessment and management, including with respect to risks and incidents relating to cybersecurity threats, compliance with disclosure requirements, cooperation with law enforcement, cybersecurity and other information securities policies and practices and related internal controls. The Audit Committee reports any findings and recommendations, as appropriate, to the full Board of Directors for consideration. In that capacity, our Audit Committee conducts quarterly reviews of, and meets with our Chief Information Officer and other senior management to discuss, technology and cybersecurity risks and the risk assessment and risk management policies, practices, programs and/or procedures that we have adopted to monitor, control, mitigate and manage such risks. Our Board of Directors is committed to maintaining a well-informed and cybersecurity-aware posture, regularly engaging by receiving scheduled and requested updates on our strategy and evolving threat landscape as well as bolstering existing cybersecurity knowledge and continued education of recent cybersecurity trends.
We are developing processes to continuously monitor, analyze emerging threats, and to develop and implement risk mitigation strategies and our management team plays a pivotal role in assessing and managing material risks from cybersecurity threats. As our first key investment, we have hired our Director of Information Security with over 20 plus years of information security experience to oversee our cybersecurity program. Our Director of Information Security reports up to our Chief
30
Information Officer. Together our Director of Information Security and Chief Information Officer have over 40 years of combined experience.