FLYEXCLUSIVE INC. 10-K Cybersecurity GRC - 2024-04-30

Page last updated on May 1, 2024

FLYEXCLUSIVE INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-30 21:45:26 EDT.

Filings

10-K filed on 2024-04-30

FLYEXCLUSIVE INC. filed an 10-K at 2024-04-30 21:45:26 EDT
Accession Number: 0001628280-24-019447

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity flyExclusive s management and Board of Directors recognize the importance of information security and managing risks from cybersecurity threats across the enterprise. We have designed our cybersecurity risk management program (the Cybersecurity Program ) to assess, identify, and manage these risks. Risk Management Strategy Overview Our Cybersecurity Program is based on the Cybersecurity Framework ( CSF ) promulgated by the National Institute of Standards and Technology ( NIST ) and other applicable industry standards, and includes the following key elements: 1. identification and assessment of cybersecurity threats based on periodic internal and external assessments and monitoring, information from internal stakeholders, and external publications and resources 2. technical and organizational safeguards designed to protect against identified threats, including documented policies and procedures, technical controls, and employee education and awareness 3. processes to detect the occurrence of cybersecurity events, and maintenance of incident response and recovery and business continuity plans and processes and 33 Table of contents 4. a third-party risk management process to manage cybersecurity risks associated with our service providers, suppliers, and vendors. The Cybersecurity Program is designed to foster a culture of cybersecurity risk management across the Company. Integration of Risk Management Processes Our Cybersecurity Program is integrated into the Company s overall risk management framework and function, which is overseen by management and the Audit and Risk Committee of the Board of Directors. To that end, management has implemented, with oversight from the Audit and Risk Committee, risk management policies and procedures designed to identify, assess, and mitigate enterprise risks, including those arising from cybersecurity threats. Engagement of Third Parties in Connection with Cybersecurity Risk Management The Company engages a range of external experts to assist in its assessment, identification, and management of risks from cybersecurity threats. These experts include cybersecurity consultants that we engage as part of our continuing efforts to evaluate and improve the effectiveness of our Cybersecurity Program, and other cybersecurity service providers that help identify and detect cybersecurity threats and secure our systems and networks. Oversight of Third-Party Risks Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact flyExclusive in certain circumstances. We have implemented processes for overseeing and managing these risks. Those processes include assessing these third parties information security practices and requiring them to implement appropriate cybersecurity controls and otherwise agree to contractual terms designed to address cybersecurity risks in our agreements with them. Risks from Cybersecurity Threats As of the date of this report, flyExclusive has not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that could be considered material, individually or in the aggregate. Notwithstanding our vigilance and our Cybersecurity Program, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For further information, refer to Section 1A, Risk Factors, for a discussion of risks related to cybersecurity and technology. Governance flyExclusive seeks to ensure effective governance in managing risks associated with cybersecurity threats, as more thoroughly described below. Board of Directors Oversight The Audit and Risk Committee of the Board of Directors is responsible for the oversight of risks from cybersecurity threats. The Audit and Risk Committee receives periodic reports from the Company s Interim Chief Financial Officer ( ICFO ) regarding risks from cybersecurity threats and the implementation and effectiveness of our Cybersecurity Program. The Audit and Risk Committee in turn briefs the Board at scheduled meetings about cybersecurity developments. Management s Role in Cybersecurity Risk Management Management recognizes the importance and its responsibility for day-to-day implementation of the Cybersecurity Program. To this end, we have implemented a governance structure that assigns specific responsibilities to key members of our management team, with oversight by our Board of Directors. The Director of Information Technology ( Director of IT ) is primarily responsible for the operational aspects of our cybersecurity program. This includes the implementation of technical security measures, monitoring of our network and systems for security threats, and working with external experts in the assessment, identification and management of cybersecurity threats. The ICFO has primary responsibility for overseeing the Cybersecurity Program and assessing and managing risks from cybersecurity threats. Our ICFO holds a Bachelor of Science degree in English from the East Carolina University and has held an active CPA license from the state of North Carolina since 1987. The Director of IT has over 16 years of experience in Information Technology roles and holds a diploma of Applied Science in Graphic Arts and Imaging Technology. Monitoring of Cybersecurity Incidents The ICFO oversees our processes for the prevention, detection, mitigation and remediation of cybersecurity incidents. In the event of a cybersecurity incident, we have an established incident response plan and processes for investigating, responding to, and recovering from the incident. Depending on the nature and severity of the incident, the 34 Table of contents plan and those processes also provide for escalating notification of management and the Audit and Risk Committee of the Board of Directors.

Company Information