AST SpaceMobile, Inc. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

AST SpaceMobile, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:16:32 EDT.

Filings

10-K filed on 2024-04-01

AST SpaceMobile, Inc. filed an 10-K at 2024-04-01 16:16:32 EDT
Accession Number: 0000950170-24-039342

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and strategy Our cybersecurity risk management strategy and processes, which are integrated into our overall risk management process, for assessing, identifying and managing material risks from cybersecurity threats are designed based on established frameworks and standards developed by the National Institute of Standards and Technology ( NIST ). Although this does not mean that we currently meet all technical standards, specifications, or requirements, we use this framework, complemented by insights from internal assessments, to guide the development of policies governing the use of our information assets, access to intellectual property, and the safeguarding of personal information. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity defense strategy based on prevention, detection and containment. We employ industry standard measures directly or indirectly related to cybersecurity, such as multifactor authentication, endpoint protection defenses, antivirus protection, encryption standards, restricting access based on business necessity, and remote access monitoring. Our employees undergo regular cybersecurity awareness training, receive guidance on protecting confidential information, and participate in simulated phishing exercises. The training provides employees with a baseline understanding of cybersecurity fundamentals to prevent security breaches and safely identify potential threats. We engage third parties to conduct penetration testing and evaluate our adherence to industry-standard frameworks. We assess the security framework employed by our third party service providers including their reports on security, availability and confidentiality to assess and identify material risks from cybersecurity threats associated with our use of third party applications. We have also established liaison programs with the Federal Bureau of Investigation ( FBI ) and U.S. Cybersecurity & Infrastructure Security Agency ( CISA ) to monitor, identify, and counter advanced persistent threats specific to our company and industry. As part of this program, we have an FBI Special Agent assigned as our Liaison Officer who provides us with periodic cybersecurity threat briefings, and also provides counter-threat support on request. As of December 31, 2023, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected or are reasonably likely to materially affect our business strategy, financial condition or results of operations. For further details on cybersecurity risks, please refer to the Risk Factors discussion in Item 1A of this Report, including the discussion under the heading Cyberattacks impacting our networks or systems may have a material effect on our operations. 37 Governance of cybersecurity risk management Our Board of Directors, acting through the Audit Committee, is responsible for overseeing management s implementation and execution of the risk management process, including our cybersecurity risk management strategy and processes. Our Audit Committee reviews and deliberates on our risk assessment and risk management practices, including cybersecurity risks, in collaboration with management. Management bears the responsibility for the day-to-day assessment and management of cybersecurity risks. We have formed a Cyber Security Incident Response Team ( CSIRT ) to manage and govern the response to any real or suspected cybersecurity incidents. The CSIRT core team, consisting of the information technology team, classifies detected cybersecurity incidents into one of three categories based on potential impact to the functionality of the affected systems, possible or known information involved and recoverability effort. The classification of cybersecurity incidents is designed to allow rapid prioritization, response and escalation. The CSIRT core team engages with third party experts and cross-functional CSIRT members, as required, to manage the cybersecurity incidents. Cybersecurity incidents that are potentially significant or could result in a material impact are reported to the CSIRT Executive team, consisting of designated executives of the Company. The CSIRT Executive team is responsible for the oversight of the cybersecurity incidents and related critical decisions, performing a materiality assessment, overseeing the public disclosure of material cybersecurity matters, engaging law enforcement agencies, including our local FBI Liaison Officer, correspondence with the media, and communicating with our Audit Committee and Board of Directors, as appropriate.

Company Information