AAON, INC. - (AAON)
10-K Filing Date: February 28, 2024
ITEM 1C. Cybersecurity
Cybersecurity risk management and strategy
Our cybersecurity risk management is based on recognized cybersecurity industry frameworks and standards, including those of the National Institute of Standards and Technology ("NIST"), the Center for Internet Security ("CIS"), the Computer Objectives for Information and related Technology ("COBIT"), and the International Organization for Standardization ("ISO"). We use these frameworks, together with information collected from
14
internal assessments, to develop policies for use of our information assets, access to specific intellectual property or technologies, and protection of personal information. We protect these information assets through industry-standard techniques, such as multifactor authentication and malware defenses. We also work with internal stakeholders across the company to integrate foundational cybersecurity principles throughout our organization’s operations, including employment of multiple layers of cybersecurity defenses, restricted access based on business need, and integrity of our business information. Throughout the year, we also regularly train our employees on cybersecurity awareness, confidential information protection and simulated phishing attacks.
We engage third-party assessors to conduct penetration testing and measure our program to industry standard frameworks as needed. We also have standing engagements with incident response experts and external counsel. We frequently collaborate with industry experts and cybersecurity practitioners at other companies to exchange information about potential cybersecurity threats, best practices and trends.
Our cybersecurity risk management is an important part of our comprehensive business continuity program and internal risk management. Our information security team periodically engages with a cross-functional group of subject matter experts and leaders to assess and refine our cybersecurity risk posture and preparedness. We practice our response to potential cybersecurity incidents through regular tabletop exercises, threat hunting and red team exercises.
For more information about cybersecurity risks, see the Risk factors discussion in Item 1A of this Form 10-K.
Governance of cybersecurity risk management
The board of directors, as a whole, has oversight responsibility for our strategic and operational risks. The audit committee assists the board of directors with this responsibility by reviewing and discussing our risk assessment and risk management practices, including cybersecurity risks, with members of management. The audit committee, in turn, periodically reports on its review with the board of directors.
Management is responsible for day-to-day assessment and management of cybersecurity risks. Our chief information officer has primary oversight of material risks from cybersecurity threats. Our chief information officer has more than 25 years of experience across various engineering, business and management roles, including leading the development and implementation of information technology strategies and roadmaps for manufacturing automation.
Our chief information officer assesses our cybersecurity readiness through internal assessment tools as well as third-party control tests, vulnerability assessments, audits and evaluation against industry standards. We have governance and compliance structures that are designed to elevate issues relating to cybersecurity to our chief information officer, such as potential threats or vulnerabilities. We also employ various defensive and continuous monitoring techniques using recognized industry frameworks and cybersecurity standards.
Our chief information officer meets with the audit committee periodically to review our information technology systems and discuss key cybersecurity risks. In addition, the chief financial officer reviews with the audit committee at least annually our risk management program, which includes cybersecurity risks, and is also reported to the board.