American Outdoor Brands, Inc. - (AOUT)
10-K Filing Date: June 27, 2024
Risk management and Strategy
We have processes for assessing, identifying, and managing material risks from cybersecurity threats, which are integrated into the Company’s overall risk management systems, as overseen by the Company’s Board of Directors, primarily through its Audit Committee. These processes also include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers. We have established monitoring procedures in our effort to mitigate risks related to data breaches or other security incidents originating from third parties. We engage third-party consultants and legal advisors in evaluating and testing our risk management systems and assessing and remediating certain potential cybersecurity incidents as appropriate.
We have a Written Information Security Program (“WISP”) to protect personal and proprietary information in compliance with applicable federal and state requirements. WISP is designed to:
43
For more information about these risks, see the risk factor titled “Our business is subject to the risk of terrorism, cyberattacks, or failure of key information technology systems,” “Breaches of our information systems could adversely affect our reputation, disrupt our operations, and result in increased costs and loss of revenue,” and “If our efforts to protect the security of personal information related to any of our customers, consumers, vendors, or employees are unsuccessful and unauthorized access to that personal information is obtained, or we experience a significant disruption in our computer systems or a cyber security breach, we could experience an adverse effect on our operations, we could be subject to costly government enforcement action and private litigation, and our reputation could suffer” under Item 1A.
Governance
Our Board of Directors has assigned oversight of cybersecurity risk management to the Audit Committee. The Audit Committee regularly receives reports from management, including information technology (“IT”) leadership, and third parties on cybersecurity matters. In addition, our full Board of Directors receives reports addressing cybersecurity as part of our overall enterprise risk management program and to the extent cybersecurity matters are addressed in regular business updates.
IT leadership is responsible for developing appropriate cybersecurity programs, including as may be required by applicable law or regulation. This includes the coordination and creation of an Incident Response Policy, Incident Response Team, and Incident Response Plan in the event of a cybersecurity event. The AOB incident response policy covers our internal program and guidelines. The incident response team is composed of various stakeholders from all necessary aspects of the business, and the plan includes the steps to follow and communications necessary if/when a cybersecurity event occurs. The individual incident response team members represent expertise in IT, cybersecurity, and operations that has been obtained generally from a combination of education and awareness, including relevant degrees and/or certifications, and work experience. The head of IT has served in various roles in information technology and information security for over 28 years, including serving in technical management and leadership positions in multiple verticals for 19 years. The head of IT holds undergraduate and graduate degrees in computer science and has attained the several recognized network and security certifications throughout their career. The individual incident response team members are informed by their respective cybersecurity teams about, and monitor, the prevention, detection, mitigation and remediation of cybersecurity incidents as part of the cybersecurity programs described above.
Information regarding cybersecurity risks may be elevated by IT leadership through a variety of channels, including discussions between or among key leaders and our management and reports to the Company’s Board of Directors and/or certain Board committees. As noted above, the Audit Committee regularly receives reports on cybersecurity matters from senior IT leadership.
Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition.