SURF AIR MOBILITY INC. 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

SURF AIR MOBILITY INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 17:28:49 EDT.

Filings

10-K filed on 2024-03-29

SURF AIR MOBILITY INC. filed an 10-K at 2024-03-29 17:28:49 EDT
Accession Number: 0000950170-24-038767

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. We have implemented and planned several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. As part of our overall approach to managing risks, we have implemented the following: Cybersecurity incident response plan and procedures Change management and software development life cycle ( SDLC ) workflow across the Engineering release team Role-based access controls across enterprise systems Work with partners that have SOC1/SOC2 compliance standards around the management and processing of payment card industry ( PCI ) and personally identifiable information ( PII ) data Use of multi-factor authentication for accessing digital content across important roles in the enterprise Implementation of security frameworks to guard against business email compromise and device security to protect against malware, ransomware, and other risks across employees devices Device management tools to centrally manage and update company-owned hardware assets 54 Implementation of vulnerability scanning frameworks across digital and hardware assets across the enterprise Also on our planned roadmap are the below-listed activities: Undertake regular reviews of our consumer-facing policies and statements related to cybersecurity Implement cybersecurity management and incident training for employees Conduct regular phishing email simulations for all employees and contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats Iterate our internal processes and response plans to calibrate with emerging threats/trends As part of our overall approach to enhance our cybersecurity posture, we plan to regularly engage with assessors, consultants, and other third parties to assess and review our program to help identify areas for continued focus, improvement, and/or compliance. Additionally, we are working towards a comprehensive cybersecurity-specific risk assessment process, which helps identify our cybersecurity threat risks by mapping our processes to standards set by the National Institute of Standards and Technology ( NIST ) and plan to align our digital assets to Center for Internet Security ( CIS ) standards, as well as planned engagement with external entities to penetration test our information systems. In the last two fiscal years, we have not experienced any material cybersecurity incidents and risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. The expenses incurred from cybersecurity incidents, in which our SaaS infrastructure providers were targeted in larger attacks, were immaterial. This includes penalties and settlements, of which there were none. Additional information on cybersecurity risks we face can be found in Part I, Item 1A Risk Factors of this Report under the headings We will rely on our information technology systems to manage numerous aspects of our business. A cyber-attack of these systems could disrupt our ability to deliver services to our customers and could lead to increased overhead costs, decreased sales and harm to our reputation and System failures, defects, errors or vulnerabilities in our website, applications, backend systems or other technology systems or those of third-party technology providers could harm our reputation and brand and adversely affect our business, financial condition and results of operations, which should be read in conjunction with the foregoing information. Cybersecurity is an integral part of our risk management processes and an area of increasing focus for our Board and management. Our Board oversees the Company s enterprise risk management process, including the management of risks arising from cybersecurity threats. Our Technology Steering Committee comprising executive leadership, business leaders, and IT is responsible for the oversight of risks from cybersecurity threats. The Technology Steering Committee meets regularly to discuss the risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. We have instituted a quarterly update to our Board members with an overview of the management of our cybersecurity threat risk and strategy processes covering topics such as security posture, progress towards risk-mitigation-related goals, and emerging threat risks or incidents and developments, as well as the steps management has taken to respond to such risks, if any. Pursuant to our cybersecurity incident response framework, we have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported promptly to the Board, as well as ongoing updates regarding any such incident until it has been addressed. Members of the Board and the Technology Steering Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our cybersecurity risk management and strategy processes are managed in collaboration between Technology and IT teams in close association with business team leads and the executive team. The global IT team is led by our VP of IT at the Company in collaboration with the VP of Technology at Southern. Such individuals collectively have 25 years of prior work experience in various roles involving managing information security, developing cybersecurity strategies, and implementing effective information and cybersecurity programs. We also work very closely with a Senior Advisor to the Board who has a CISSP certification for collaborating on strategies regarding cybersecurity risk management and mitigation. We have a regular cadence between IT and Tech teams to collaborate on cybersecurity topics. In addition, we encourage communication and participation across the enterprise on cybersecurity-related topics and 55 observations/recommendations. The cybersecurity incident response framework is updated as needed for alignment with current processes and communications.

Company Information