AAR CORP - (AIR)
10-K Filing Date: July 18, 2024
We face many cybersecurity threats including ransomware, denial-of-service attacks, business email compromise, and persistent threats from state-affiliated groups. We have experienced cyber-attacks in the past and may experience cybersecurity incidents in the future. While prior incidents have not materially affected our business, results of operations or financial condition, there is no guarantee that a future cyber threat or cyber incident would not affect our business strategy, results of operations or financial condition. See Item 1A. Risk Factors for more information on our cybersecurity risks.
Risk Management and Strategy
We maintain documented information security policies and standards to protect operations, assets, data and services and to defend against, respond to and recover from potential cyberattacks. Our cybersecurity strategy and risk management processes use the National Institute of Standards and Technology governance requirements and cybersecurity framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our approach to cybersecurity risk management includes multiple complementary elements to mitigate our cybersecurity risks. We utilize multi-layered defenses to help prevent attacks including the use of data analytics to help detect anomalies and search for cyber threats. We have comprehensive cyber threat detection and response capabilities with applied threat intelligence, and continuous monitoring to complement other technology, processes and threat detection techniques we have in place. We subscribe to third-party managed security services that continuously monitor our systems and networks to assist with early cybersecurity threat detection and protection.
We work with government, customer, industry and/or supplier partners to gather and develop policies and standards and share information to address cyber threats. We conduct information security assessments of partners before sharing or allowing the hosting of data in computing environments managed by third parties. We require our employees to complete phishing and other awareness training to help identify, avoid and mitigate cybersecurity threats.
While our primary focus is on prevention and detection of cybersecurity threats, we have response and recovery plans in effect, as well as service agreements with outside experts should there be a need for us to respond to an attack. We have adopted a cybersecurity incident response plan that provides direction and a defined approach for preparing for, identifying and responding to cybersecurity incidents that may pose a potential threat to our information systems, networks and data. The detailed plan defines the roles and responsibilities of all parties included in our cybersecurity incident response team which incorporates our IT team, senior management, and other functional areas.
25
We also have controls and procedures for reporting material cybersecurity incidents, including review of significant cybersecurity incidents by a cross-functional team to determine whether further escalation is necessary. We also periodically conduct practice exercises with management to familiarize the management team with our cyber incident response capabilities and processes. We also conduct internal and third-party assessments or penetration tests to validate our cybersecurity controls and improve our security posture. We also maintain cybersecurity liability insurance coverage.
Governance
To facilitate the prevention, detection and timely response to information security threats, we have a dedicated Chief Information Security Officer (“CISO”) whose team is responsible for managing our information security strategy, policies, standards, and processes. The CISO reports directly to our Chief Digital & Technology Officer (“CDTO”), who reports directly to our Chairman, President and Chief Executive Officer. Our CDTO and CISO have extensive experience and expertise in developing, implementing, and operating security policies and procedures covering our network and critical data. The CDTO and CISO regularly review cybersecurity matters with members of our senior management. These discussions include the latest cybersecurity risks and threats, the status of our cybersecurity incident response plan, and our overall process relating to the prevention, detection, mitigation and remediation of cybersecurity incidents.
Our Board of Directors, through its Audit Committee, is responsible for overseeing our cybersecurity risk management. On a regular basis, the Board of Directors or Audit Committee receive and review reports from the CDTO and CISO relating to the status of cybersecurity planning and protections, the overall state of our cybersecurity program, emerging cybersecurity developments and threats, and our strategy to mitigate cybersecurity risks.