Aurora Innovation, Inc. - (AUR)
10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Aurora’s Information Security team has implemented a robust cybersecurity risk management program in order to protect the confidentiality, integrity, and availability of the Company’s products, infrastructure, and data. The program, which is integrated with our overall risk management system, aims to identify, assess, and mitigate cybersecurity risks for both the product and the organization. It includes a cybersecurity incident response procedure (“CIRP”) that defines roles and responsibilities during cybersecurity incidents, outlines incident handling procedures, including detection, investigation, and mitigation of incidents, and provides a framework for assessing incidents. Aurora’s CIRP contributes to satisfaction of certain elements of Aurora’s Safety Case. Additionally, the CIRP is referenced in and integrated into the Company’s Cross-Functional Incident Response Plan, which serves as an outline of the actions to be taken across the Company immediately following a vehicle incident.
Aurora’s Information Security team reports to and is led by our Vice President of Security Engineering, who is responsible for structuring and driving all cybersecurity initiatives at Aurora. This individual regularly reports cybersecurity progress to our Board of Directors, as well as senior leadership across the Company.
46
The Information Security team proactively reports, on a company-wide basis, the status of cybersecurity initiatives and risks, along with various assessments of our information security programs and the emerging threat landscape. We also perform periodic assessments and audits internally and also leverage third party experts, and the results of such assessments and audits are reported directly to senior leadership. Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks, reasonably address any identified gaps in existing safeguards and regularly monitor the effectiveness of our safeguards. We also actively engage with key partners, vendors, customers, industry participants, government entities, intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures, especially around self-driving / autonomous vehicles. We work to identify, assess, and oversee risks from cybersecurity threats associated with third-party service providers, including, where appropriate, by contractually requiring third-party service providers to promptly inform us of incidents impacting their systems that could result in access to, loss, or unavailability of Aurora’s data. In addition, prior to engagement, we conduct thorough security assessments of all third-party service providers that handle confidential Aurora information or connect to Aurora computing environments. Such assessments include analysis of the service providers’ data handling practices and the security of their integrations with Aurora’s systems. This approach is designed to mitigate risks related to cybersecurity threats originating from third-parties.
Risks from Threats and Incidents
We are subject to risks from cybersecurity threats and incidents to our vehicles and cloud infrastructure, including operational systems, security systems, integrated software and partners’ data processed by us or third-party vendors or suppliers. However, as of December 31, 2023, we do not believe such risks have materially affected or are reasonably likely to materially affect the Company, including the Company’s business strategy, results of operations, or financial condition. For additional information regarding risks from cybersecurity threats, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K, including the risk factors entitled “Risks Related to Our Business Operations.”
Governance
Our information security management team, including our Chief Information Security Officer, is responsible for assessing and managing material risks from cybersecurity threats. Our Interim Chief Information Security Officer, who also serves as Vice President of Security Engineering has more than ten years of experience as a network and security engineer and more than seven years of experience leading information security teams at renowned technology companies.
Members of our security operations team are responsible for notifying the information security management team about cybersecurity incidents. The information security management team is responsible for assessing cybersecurity incidents; managing the analysis, mitigation, and remediation of incidents; and conferring with other members of management about incidents, including the Chief Information Security Officer and other members of our senior executive management team.
Our Audit Committee, composed of members of our Board of Directors, oversees risks from cybersecurity threats and our cybersecurity risk management program as an integrated part of our overall risk management processes. We conduct quarterly assessments to identify and evaluate cybersecurity threats and present our findings to the Audit Committee. In consultation with the Disclosure Committee, we also notify the Audit Committee about cybersecurity incidents and risks related to cybersecurity incidents. The Audit Committee is responsible for advising the Company on appropriate incident response steps.