SKYX Platforms Corp. - (SKYX)

10-K Filing Date: April 01, 2024
ITEM 1C. CYBERSECURITY

 

Organizations in our industry are frequently confronted with a broad range of cybersecurity threats, ranging from uncoordinated, individual attempts to gain unauthorized access to an organization’s information technology (“IT”) environment to sophisticated and targeted cyberattacks sponsored by foreign governments and criminal enterprises. Although we employ comprehensive measures to prevent, detect, address, and mitigate these threats, a cybersecurity incident could potentially result in the misappropriation, destruction, corruption, or unavailability of critical data, personal identifiable information, and other confidential or proprietary data (our own or that of third parties) and the disruption of business operations. The potential consequences of a material cybersecurity incident include remediation and restoration costs, reputational damage, litigation with third parties, and diminution in the value of our investment in research and development, which in turn could adversely affect our competitiveness and results of operations. Accordingly, cybersecurity is an important part of our Enterprise Risk Management (“ERM”) program, and the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach.

 

The Company’s cybersecurity policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats and responding to cybersecurity incidents are integrated into the Company’s risk management program and are based on recognized frameworks established by the National Institute of Standards and Technology. The Company has established controls and procedures, including an Incident Response Plan, that provide for the identification, analysis, notification, escalation, communication, and remediation of data security incidents at appropriate levels so that so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. In particular, the Company’s Incident Response Plan (i) is designed to identify and detect information security threats through various mechanisms, such as through security controls and third-party disclosures, and (ii) sets forth a process to (a) analyze any such threats detected within the Company’s IT environment or within a third-party’s IT environment, (b) contain cybersecurity threats under various circumstances, and (c) better ensure the Company can recover from cybersecurity incidents to a normal state of business operations. The Company has established and maintains other incident response and recovery plans that address the Company’s response to a cybersecurity incident.

 

As part of its cybersecurity program, the Company deploys measures to deter, prevent, detect, respond to and mitigate cybersecurity threats, including firewalls, anti-malware, intrusion prevention and detection systems, identity and access controls, software patching protocols, and physical security measures. The Company periodically assesses and tests the Company’s policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents, including by assessing current threat intelligence, conducting tabletop exercises, and vulnerability and security testing,. The Company has a process to report material results of such testing and assessments to the board, and periodically adjusts the Company’s cybersecurity program based on these exercises. The Company engages third parties to conduct part of such testing The Company identifies and oversees cybersecurity risks presented by third parties and their systems from a risk-based perspective The Company also conducts cybersecurity training for employees (including mandatory training programs for system users).

 

Many of the Company’s IT systems operate with a hosted architecture or by third-party service providers, and if these third-party IT environments fail to operate properly, our systems could stop functioning for a period of time, which could put our users at risk. Accordingly, our ability to keep our business operating is highly dependent on the proper and efficient operation of IT service providers, and our vendor management process is an important part of our risk mitigation strategy. In particular, we obtain reports from our vendors handling sensitive data as to their efficacy and efficiency in managing cybersecurity issues and follow-up with them on any potential or actual issues. Notwithstanding, if there is a catastrophic event, such as an adverse weather condition, natural disaster, terrorist attack, security breach, or other extraordinary event, the Company, and our service providers, may be unable to provide our products or services for the duration of the event and/or a time thereafter.

 

Considering the pervasive and increasing threat from cyberattacks, the board and the audit committee, with input from management, assess the Company’s cybersecurity threats and the measures implemented by the Company to mitigate and prevent cyberattacks. The audit committee consults with management regarding ongoing cybersecurity initiatives, and requests management to report to the audit committee or the full board regularly on their assessment of the Company’s cybersecurity program and risks. Both the audit committee and the full board will receive regular reports from its senior management on cybersecurity risks, timely reports regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Our board has risk management experience. We hire consultant and third parties to conduct our threat assessments and supplement the monitoring of such threats by utilizing online data tools.

 

43

 

 

In addition, the Company’s information security and/cybersecurity program is managed by our Chief Technology Officer (“CTO”) a, whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The CTO provides periodic reports to our audit committee as well as our Co-Chief Executive Officers and Chief Financial Officer and other members of our senior management as appropriate. We have also established cross-functional teams to collaborate and communicate on cybersecurity-related issues. The reports to management include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. Our CTO, Mr. Eliran Ben-Zikri served in the one of the most elite computer units of the Israeli Defense Force and has over 10 years of experience in the cloud technology, previously holding senior positions in leading Israeli technology companies, including eToro and SimilarWeb.

 

As of the date of this report, the Company is not aware of risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.