CPI AEROSTRUCTURES INC - (CVU)

10-K Filing Date: April 06, 2024
Item 1C.CYBERSECURITY

 

Cybersecurity risk management is an important part of our overall risk management efforts. We maintain a cybersecurity program that is comprised of policies, procedures, controls and plans whose objective is to help us prevent and effectively respond to cybersecurity threats or incidents. Through our cybersecurity risk management process, we continuously monitor cybersecurity vulnerabilities and potential attack vectors to company systems. We maintain various measures to safeguard against cybersecurity threats such as monitoring systems, security controls, policy enforcement, data encryption, employee training, tools and services from third-party providers and management oversight to assess, identify and mitigate risks from cybersecurity threats. We conduct regular testing of these controls and systems including vulnerability scanning, penetration testing and simulating the execution of parts of our disaster recovery plan. All employees are required to pass a mandatory cybersecurity training course on an annual basis and we regularly conduct phishing simulations to train our employees on how to recognize phishing attempts.

 

We have implemented cybersecurity frameworks, policies and practices which incorporate industry-standards and contractual requirements. We also contractually flow cybersecurity regulatory requirements to our subcontractors as required by the Defense Federal Acquisition Regulation Supplement and other government agency specific requirements. These contractual flow downs include the requirement that our subcontractors implement certain information security controls. Additionally, we gather information and review the SOC-2 reports of certain third-parties who integrate with our systems, such as our payroll processor, managed solutions provider and software as a service providers on an annual basis to identify and manage risk. We continuously evaluate and seek to improve and mature our cybersecurity processes. We apply lessons learned from our defense and monitoring efforts to help prevent future attacks and utilize data analytics to detect anomalies and search for cyber threats. Additionally, our Internal Audit function regularly assesses our program effectiveness through audits of systems and processes to help maintain compliance with policies.

 

Cybersecurity threats of all types, such as attacks from computer hackers, cyber criminals, nation-state actors, social engineering and other malicious internet-based activities, continue to increase. We believe that our current preventative actions and response planning provide adequate measures of protection against cybersecurity risks. While we have implemented measures to safeguard our information technology systems, the evolving nature of cybersecurity attacks and vulnerabilities means that these protections may not always be effective. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.

 

Governance

 

Our board of directors has oversight of our strategic and business risk management and oversees management’s execution of our cybersecurity risk management program. The board receives regular updates from management on our cybersecurity risks. In addition, management updates the board as necessary, regarding any material cybersecurity incidents, as well as incidents with lesser impact potential. Management is responsible for identifying, assessing, and managing cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures, maintaining cybersecurity policies and procedures, and providing regular reports to our board of directors. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g. legal), as well as senior leadership and the board, as appropriate.

 

Our Vice President of Human Resources & Administration (“VP HR&A”) leads our cybersecurity program and is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The VP HR&A manages a team of information technology professionals with broad experience, including in cybersecurity threat assessments and detection, mitigation technologies, incident response, insider threats and regulatory compliance.

 

19

 

 

Our cybersecurity program is regularly assessed through management self-evaluation and ongoing monitoring procedures to evaluate our program effectiveness, including assessments associated with internal controls over financial reporting as well as vulnerability management through active discovery and testing to validate patching and configuration.

 

© 2024 Material-Incidents. All rights reserved.