AeroVironment Inc 10-K Cybersecurity GRC - 2025-06-24

Page last updated on June 25, 2025

AeroVironment Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-06-24 19:21:24 EDT.

Filings

10-K filed on 2025-06-24

AeroVironment Inc filed a 10-K at 2025-06-24 19:21:24 EDT
Accession Number: 0001558370-25-008838

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We face various cybersecurity threats as a prominent target, including denial-of-service attacks, ransomware, phishing, and advanced persistent threats. As an aerospace and defense company providing advanced defense technologies and services to the U.S. and foreign governments, these threats are not just from low-level threat actors, but rise to the level of sophisticated threat actors from organized and funded adversaries, including groups affiliated with various nation states. Our customers, suppliers, subcontractors, and vendors also face similar threats. Cybersecurity incidents impacting us, or any of these third parties, could have a material adverse effect on our operations, financial condition, and results of operations. Given the cybersecurity risks we face, we dedicate ample resources to addressing and mitigating our cyber risks. Risk Management and Strategy Our cybersecurity program is designed to identify, detect, protect against, respond to, and recover from cyber risks and incidents. Our cybersecurity program is part of our internal risk management processes, and we continually improve our cybersecurity practices as new threats and vulnerabilities emerge. Our Chief Information Officer (“CIO”), Chief Information Security Officer (“CISO”), and Vice President of Cybersecurity, all within our “CIO organization,” lead our Detection and Response Team (“DART”) which is responsible for our cybersecurity incident response processes pursuant to our Incident Response Plan and playbooks. The DART also includes members of our IT department responsible for supporting the technologies and processes to protect against, detect, contain, mitigate, and recover from cybersecurity incidents. The DART evaluates and assigns severity levels to cybersecurity incidents and, based on the severity, escalates and engages incident response teams to respond to and mitigate the risks. Our cybersecurity team proactively hunts for cyber threats and vulnerabilities in our networks and information systems as part of our cyber risk management program. This includes monitoring our networks and systems for indicators of compromise (“IOCs”), active intrusion attempts, and other suspicious activity, including insider threat risks. The cybersecurity team stays apprised of existing and emerging cybersecurity threats through commercial threat intelligence feeds and by partnering and data sharing with third parties such as the U.S. government, law enforcement agencies, customers, and other Defense Industrial Base (“DIB”) participants. We also engage third parties to conduct evaluations of our cybersecurity controls by performing penetration testing and controlled cybersecurity framework audits. We also review the cybersecurity practices of our third-party service providers and suppliers . We require our employees to take cybersecurity-related training regularly to promote awareness of how to detect, report, and respond to cybersecurity threats. Employees with certain roles and responsibilities are also assigned cyber training for their specific functions. We also maintain an Insider Threat program, headed by our Director of Security, to identify, assess, and deal with potential risks from within our company, including cybersecurity risks. We have aligned our cybersecurity program to the National Institute of Standards and Technology’s (“NIST”) published cybersecurity standards, and our policies and processes are compliant with NIST Special Publication 800-171 and other applicable publications. Given our status as a defense contractor, we are subject to numerous regulations, including those pursuant to the Defense Federal Acquisition Regulation Supplement (“DFARS”), requiring us to have controls in place to protect U.S. government CUI and to report cybersecurity incidents to the DoD. We are also subject to the DoD CMMC requirements which necessitates that companies receiving, storing, or processing federal contract information (“FCI”) and CUI be formally assessed by a CMMC C3PAO. AeroVironment, Inc., including its subsidiaries Arcturus UAS and Tomahawk Robotics (but excluding any of the BlueHalo acquired entities) is scheduled for a formal Level 2 assessment. The recently acquired BlueHalo passed a formal CMMC Level 2 assessment under the CMMC 2.0 framework, which went into effect December 16, 2024. If we fail to achieve or maintain certification ahead of contract awards, or if we fail to achieve the level required for a particular contract, we will be unable to bid on new contracts or follow-on efforts containing CMMC clauses, which could adversely impact the success of our operations. Additionally, our subcontractors and certain vendors may need to obtain CMMC certification, and we may be negatively impacted if they are not compliant with the CMMC requirements. Governance Our CIO, CISO, and VP of Cybersecurity , each with 20+ years of related experience, are responsible for the day-to-day management of our cybersecurity program and cybersecurity risks. Our CISO and team are primarily responsible for our overall cybersecurity risk management program and supervise both internal and external resources to identify, protect against, detect, respond to, and recover from cybersecurity risks, threats, and incidents. We have internal Cybersecurity Council which meets monthly to help communicate our enterprise cybersecurity strategy and ensure it is implemented across the business, as well as maintain awareness of events and changes occurring throughout the business. The Cybersecurity Council consists of members from our CIO organization as well as senior leadership from various functional areas of the business. The CISO and VP of Cybersecurity report cybersecurity incidents to members of the company’s senior management, including the Cybersecurity Council, CIO, CEO, and the Board of Directors based on the severity and type of the incident to ensure proper external reporting is completed thoroughly and timely. Pursuant to its charter, the Cybersecurity Committee of our Board of Directors is responsible for reviewing, discussing, and making recommendations to the full board regarding cybersecurity matters. Our CIO, CISO, and VP of Cybersecurity provide presentations to the Cybersecurity Committee on our cybersecurity program at each of the committee’s regularly scheduled quarterly meetings. These briefings include assessments of the cyber risk and threats landscape, updates on incidents, policies and procedures, and our investments and plans in cybersecurity risk mitigation and governance. The Cybersecurity Committee also meets with members of the Cybersecurity Council to discuss various aspects of our cybersecurity program between regular meetings. All members of the Board of Directors are invited to attend all meetings of the Cybersecurity Committee, and the committee regularly briefs the entire board regarding their oversight of our cybersecurity program. Cybersecurity Threats We have experienced cybersecurity incidents in the past and will experience cybersecurity incidents in the future. Prior cybersecurity incidents have not materially affected , or are reasonably likely to affect, our business strategy, results of operations or financial condition; however, there is no guarantee that a future cybersecurity incident would not have a material adverse effect on such items. While our cybersecurity program is designed to mitigate cybersecurity risks, we cannot eliminate all risks from cybersecurity threats. See Item 1A. Risk Factors for more information on our cybersecurity risks.

Company Information