Sky Harbour Group Corp 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

Sky Harbour Group Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 16:02:18 EDT.

Filings

10-K filed on 2024-03-27

Sky Harbour Group Corp filed an 10-K at 2024-03-27 16:02:18 EDT
Accession Number: 0001437749-24-009585

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity represents a critical component of our overall approach to risk management. Our cybersecurity policies, standards and practices are fully integrated into our enterprise risk management ( ERM ) approach, and cybersecurity risks are among the core enterprise risks that are subject to oversight by our Board. Our cybersecurity policies, standards and practices follow recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. We generally approaches cybersecurity threats through a cross-functional, multilayered approach, with specific the goals of: (i) identifying, preventing and mitigating cybersecurity threats to us (ii) preserving the confidentiality, security and availability of the information that we collect and store to use in our business (iii) protecting our intellectual property (iv) maintaining the confidence of our tenants, vendors and airport partners and (v) providing appropriate public disclosure of cybersecurity risks and incidents when required. Risk Management and Strategy Consistent with overall ERM policies and practices, the Company s cybersecurity program focuses on the following areas: we maintain cybersecurity threat operations with the specific goal of identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established incident response plans we deploy systems safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through ongoing vulnerability assessments and cybersecurity threat intelligence we utilize collaboration mechanisms established with other entities, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks we maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems we provide periodic training and education for personnel regarding cybersecurity threats, which reinforces our information security policies, standards and practices, and such training is scaled to reflect the roles, responsibilities and information systems access of such personnel we have established and maintain comprehensive incident response plans that fully address our response to a cybersecurity incident and the recovery from a cybersecurity incident, and such plans are evaluated on an regular basis we utilize a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from our technology, operations, legal, finance and other key business functions, as well as the members of the Board and the Audit Committee in an ongoing dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds so that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner and the Board s oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with the Company s Chief Financial Officer, Chief Accounting Officer, other members of management. 31 Table of Contents Governance The Board, in coordination with the Audit Committee, oversees the management of risks from cybersecurity threats, including the policies, standards, processes and practices that our management implements to address risks from cybersecurity threats. The Board and the Audit Committee each participate in relevant discussions on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. The Board and the Audit Committee would also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed, to the extent applicable. Our Director of Information Technology is principally responsible for overseeing our cybersecurity risk management program, in partnership with other members of our management team. The Director of Information Technology works in coordination with the other members of our cybersecurity committee, which includes our Chief Financial Officer, Chief Accounting Officer and In-house Counsel. Our Director of Information Technology has served in various roles in information technology and information security for over 26 years. Our Director of Information Technology, in coordination with our cybersecurity committee, works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. Through the ongoing communications with our organization, the Director of Information Technology and the cybersecurity committee monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and report such incidents to the Audit Committee when appropriate.

Company Information