AIR LEASE CORP - (AL)

10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY

Our cybersecurity program includes the assessment, identification and management of material risks from cybersecurity threats (as such term is defined in Item 106(a) of Regulation S-K). To identify and assess material risks from cybersecurity threats, our annual enterprise risk management assessment considers cybersecurity threat risks alongside other risks as part of our overall risk assessment process. In addition, we engage with consultants, internal and external auditors and other third parties to gather certain insights designed to identify and assess material cybersecurity threat risks, their severity and potential mitigations. We also employ a range of tools and services, depending on the environment, including network and endpoint monitoring, vulnerability assessments, penetration testing and tabletop exercises, to inform our cybersecurity risk identification and assessment. As part of our cybersecurity program, we maintain an incident response plan that includes processes to assess the severity of, escalate, contain, investigate and remediate certain cybersecurity incidents, as well as to comply with applicable reporting obligations.

Our board of directors has delegated oversight of our cybersecurity program, which includes oversight of cybersecurity threats, to the audit committee. Throughout the year at each quarterly meeting, the audit committee receives updates on our cybersecurity program from senior management, including in connection with program enhancements, audits of the program and employee cybersecurity training. Our Head of Information Technology is a Certified Information Systems Security Professional who has provided program management and enterprise cybersecurity services across different organizations for over twenty years, has a Master of Information Technology Management and is responsible for day-to-day assessment and management of our information systems and cybersecurity program. Our Head of Information Technology reports directly to our Chief Financial Officer.

For a description of the risks from cybersecurity threats that are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “A cyberattack could lead to a material disruption of our information technology (“IT”) systems or the IT systems of our third-party providers and the loss of business information, which may hinder our ability to conduct our business effectively and may result in lost revenues and additional costs.”

29