Bridger Aerospace Group Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-20

Page last updated on April 11, 2024

Bridger Aerospace Group Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-20 16:10:49 EDT.

Filings

10-K filed on 2024-03-20

Bridger Aerospace Group Holdings, Inc. filed an 10-K at 2024-03-20 16:10:49 EDT
Accession Number: 0001628280-24-012213

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as defined in Item 106(a) of Regulation S-K, and are integrating them into our overall risk management systems and processes by implementing and maintaining various technical, physical, and organizational safeguards, such as policies, standards, and practices relating to: risk assessments incident detection and response 45 Table of Contents vulnerability management internal controls within our IT, Security and other departments network security controls access controls physical security asset management system monitoring employee cybersecurity awareness and training phishing tests the use of the internet, social media, email and wireless devices firewalls and intrusion prevention systems endpoint detection and response systems and anti-malware functionality. As part of this process, we engaged external consultants who assessed our internal cybersecurity programs and alignment with applicable practices and standards, such as the Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission framework. We have also retained external service providers to monitor identified risk exposures, provide ongoing recommendations and software tools for their detection and mitigation, as well as evaluating the impact and coordinating the recovery from any incidents or breaches, should they occur. Our risk management program also assesses third-party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of service providers when handling and/or processing our employee, business or customer data. Further, in February 2024, we formalized our policy of monitoring third-party cybersecurity risks by requiring its consideration and approval by the IT change control board as a part of vendor selection and solution procurement. Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. It receives updates on matters of cybersecurity from senior management during regular quarterly meetings and in the interim, if warranted. This includes existing and new cybersecurity risks, how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our cybersecurity risk management and strategy processes are coordinated by our Director of Technology. He maintains the Certified Information Systems Security Professional certification and has eight years of senior leadership experience in defensive cyber security in both the private sector and Department of Defense. He is supported by leaders from our Information Technology, Document Management, and Compliance teams, as well as management s Disclosure Committee who have extensive work experience in various roles involving information technology, including security, auditing, compliance, systems and programming. They draw on their knowledge of daily information technology operations, ongoing cybersecurity initiatives and various monitoring tools to ultimately report through the Director of Technology and Director of Internal Controls to the Audit Committee on the monitoring, prevention, mitigation, detection and remediation of cybersecurity incidents. In the event the Audit Committee determines that a cybersecurity incident has occurred, the Audit Committee will evaluate whether to escalate the cybersecurity incident to the full Board. The processes described above have not indicated, as of the date of this Annual Report on Form 10-K, any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that we believe have materially affected us in the year ended December 31, 2023 or are reasonably likely to materially affect our company, including its business strategy, results of operations, or financial condition. . For more information on our cybersecurity risks, see the section of this Annual Report on Form 10-K entitled Risk Factors We rely on our IT systems to manage numerous aspects of our business. A cyber-based attack of these systems could disrupt our ability to deliver services to our customers and could lead to increased overhead costs, decreased sales, and harm to our reputation. 46 Table of Contents

Company Information