Unusual Machines, Inc. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

Unusual Machines, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 17:10:53 EDT.

Filings

10-K filed on 2024-03-22

Unusual Machines, Inc. filed an 10-K at 2024-03-22 17:10:53 EDT
Accession Number: 0001683168-24-001643

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Like all companies that utilize technology, we are subject to threats of breaches of our technology systems. To mitigate the threat to our business, we will take a comprehensive approach to cybersecurity risk management. Our management actively oversees our risk management program, including the management of cybersecurity risks. We intend to establish policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats, including those discussed in our Risk Factors. We intend to devote financial and personnel resources to implement and maintain security measures to meet regulatory requirements and stakeholder expectations, and we intend to continue to make investments to maintain the security of our data and cybersecurity infrastructure. We intend to establish and maintain a Cybersecurity Maturity Model Certification ( CMMC ) compliance program and will work to meet all applicable deadlines. While there can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective, we believe that the Company s investment in people and technologies will contribute to a culture of continuous improvement that will put the Company in a position to protect against potential compromises and we do not believe that risks from prior cybersecurity threats have materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that past or future attacks will not materially affect us, including our business strategy, results of operations, or financial condition. Risk Management and Strategy At a high level, the key objectives for the Company s cybersecurity program are to implement and sustain effective security controls to stop intrusion attempts and to maintain and continuously improve its ability to respond to attacks and incidents. Success in achieving these objectives relies upon using quality technology solutions, cultivating and maintaining a team of skilled professionals, and improving processes continuously. Our cybersecurity program in particular will focus on the following key areas: Risk Assessment : At least annually, we will conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities, and information from external sources, including reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants. The results of the assessment will be used to develop initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader Company-wide risk assessment that are then reported to our members of management. Technical Safeguards : We will regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Incident Response and Recovery Planning : We will establish a comprehensive incident response and recovery plans that guide our response in the event of a cybersecurity incident. We will continuously test and evaluate the effectiveness of those plans. Vendor Risk Management : We will implement a vendor risk management program for domestic vendors, which will be designed to identify and mitigate cybersecurity threats associated with our use of domestic third-party service providers. Such providers are subject to security risk assessments at the time of on-boarding, contract renewal, and upon detection of an increase in risk profile. We will use a variety of inputs in such risk assessments, including information supplied by providers in response to detailed questionnaires and meetings as well as information from third parties. In addition, we will require our domestic providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. 36 Education and Awareness : Our policies will require each of our employees to contribute to our data security efforts. We will regularly remind employees of the importance of handling and protecting data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. As part of that educational process, we will periodically simulate cybersecurity threats to the Company and review/assess employee responses. In this regard, the Company will implement policies and procedures for all employees including: (i) information security/cybersecurity policies, which are internally available for all employees, (ii) information security/cybersecurity awareness training (iii) a clear escalation process which employees can follow in the event an employee notices something suspicious and (iv) ensuring that information security/cybersecurity is part of the employee performance evaluation and/or disciplinary process.

Company Information