XTI Aerospace, Inc. - (XTIA)

10-K Filing Date: April 16, 2024
ITEM 1C: CYBERSECURITY
XTI Aerospace maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program, in conjunction with the Company’s enterprise risk management assessment processes, addresses cybersecurity risks to the corporate information technology (“IT”) environment including systems, hardware, software, data, people, and processes.

The underlying processes and controls of the XTI Aerospace’s cyber risk management program incorporate recognized best practices and standards for cybersecurity and IT, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and processes and controls supporting EU general data protection regulation requirements. XTI Aerospace has an annual assessment performed by a third-party specialist of the Company’s cyber risk management program against the NIST CSF. The annual risk assessment identifies, quantifies, and categorizes material cyber risks. In addition, the Company, in conjunction with the third-party cyber risk management specialists develop a risk mitigation plan to address such risks, and where necessary, remediate potential vulnerabilities identified through the annual assessment process.

In addition, XTI Aerospace maintains policies and procedures over areas such as information security, IT change and configuration management, acceptable use, access on/offboarding, accounts management, and data backup and recovery to help govern the processes put in place by management designed to protect XTI Aerospace’s IT assets, data, and services from threats and vulnerabilities. XTI Aerospace partners with industry recognized cybersecurity providers leveraging third-party technology and expertise. These cybersecurity partners to the Company, including consultants and other third-party service providers, are a key part of XTI Aerospace’s cybersecurity risk management strategy and infrastructure and provide services including, maintenance of an IT assets inventory, periodic vulnerability testing, identity access management controls including restricted access of privileged accounts, physical security measures at Company facilities, information protection/detection systems including maintenance of firewalls and anti-malware tools, network and traffic monitoring and automated alerting, ongoing cybersecurity user awareness training, industry-standard encryption protocols, capacity management, formalized processes over asset and data destruction, formalized change management processes, data backups management, infrastructure maintenance, incident response, cybersecurity strategy, and cyber risk advisory, assessment and remediation.

XTI Aerospace’s management team, with the Executive Vice President of IT Operations in charge of primary oversight, in conjunction with third-party IT and cybersecurity service providers is responsible for oversight and administration of XTI Aerospace’s cyber risk management program, and for informing senior management and other relevant stakeholders regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Company’s management team has prior experience selecting, deploying, and overseeing cybersecurity technologies, initiatives, and processes directly or via selection of strategic third-party partners, and also relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by XTI Aerospace for strategic cyber risk management, advisory and decision making. Our Executive Vice President of IT Operations has over 25 years of experience serving in various roles in information technology and information security and has relevant experience in designing,
51

s

deploying, and maintaining operations for critical IT systems, cloud infrastructure, virtualization technology, corporate networks, data protection, privacy, and governance.

XTI Aerospace has implemented third-party risk management processes to manage the risks associated with reliance on vendors, critical service providers, and other third-parties that may lead to a service disruption or an adverse cybersecurity incident. This includes a third-party risk management policy which outlines required risk management processes, including assessment of vendors during the selection/onboarding process, review of SOC 1 reports on an annual basis, and a regular review of vendor contracts and compliance with service level agreements.

The Audit Committee of the Board of Directors oversees XTI Aerospace’s cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity stakeholders, including member(s) of management assigned with cybersecurity oversight responsibility and/or third-party consultants providing cyber risk services brief the Audit Committee on cyber vulnerabilities identified through the risk management process, the effectiveness of XTI Aerospace’s cyber risk management program, and the emerging threat landscape and new cyber risks on at least an annual basis. This includes updates on XTI Aerospace’s processes to prevent, detect, and mitigate cybersecurity incidents. In addition, cybersecurity risks are reviewed by XTI Aerospace’s Board of Directors at least annually, as part of the Company’s corporate risk oversight processes.

XTI Aerospace faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. XTI Aerospace acknowledges that the risk of cyber incidents is prevalent in the current threat landscape and that a future cyber incident may occur in the normal course of its business. However, prior cybersecurity incidents have not had a material adverse effect on XTI Aerospace’s business, financial condition, results of operations, or cash flows. The Company proactively seeks to detect and investigate unauthorized attempts and attacks against IT assets, data, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to internal processes and tools and changes or updates to service delivery; however, potential vulnerabilities to known or unknown threats will remain. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, investors, and additional stakeholders, which could subject the Company to additional liability and reputational harm. In response to such risks, the Company has implemented initiatives such as implementation of the cybersecurity risk assessment process and development of an incident response plan. See Item 1A. "Risk Factors" for more information on cybersecurity risks.