American Outdoor Brands, Inc. 10-K Cybersecurity GRC - 2025-06-26

Page last updated on June 26, 2025

American Outdoor Brands, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-06-26 16:16:18 EDT.

Filings

10-K filed on 2025-06-26

American Outdoor Brands, Inc. filed a 10-K at 2025-06-26 16:16:18 EDT
Accession Number: 0001808997-25-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and Strategy We have implemented a set of comprehensive cybersecurity and data protection policies and procedures placing special interest in addressing cybersecurity threats and effectively managing associated risks. Our cybersecurity program is designed to identify, assess, and proactively manage material risk from cybersecurity threats, which are integrated into our overall risk management systems, as overseen by the Company’s Board of Directors, primarily through its Audit Committee. Risks from cybersecurity threats are regularly evaluated as a part of our broader risk management activities and as a fundamental component of our internal control system. Our information technology, or IT, program is led by our Director of Information Technology, who strives to monitor and mitigate risks from cybersecurity threats and provides reporting to the Audit Committee. Our approach to cybersecurity is not a one-time effort but an ongoing process. We engage in monitoring, risk assessments, and robust security measures designed to ensure the confidentiality, integrity, and availability of our information systems, including critical computer networks, hosted services, communication systems, hardware, and software and to protect critical data, including our employees’ and customers’ data, intellectual property, confidential and proprietary data, and strategic competitive information. We address cybersecurity challenges and enhance our overall risk management efforts by adopting and working to integrate recognized best practices, standards, and controls utilizing guidelines from the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) for our protection and prevention of cybersecurity, risk management, data backup, and disaster recovery. Our cybersecurity program includes some key aspects such as (i) a Cybersecurity Leader who oversees our day-to-day program, (ii) outsourced information technology firm and consultants with significant expertise in cybersecurity (iii) an incident response team comprised of a cross-section of management with oversight over our programs, (iv) incident detection and response policies, and (v) ongoing security awareness training programs for all employees. We maintain a practical approach to cybersecurity. Our cybersecurity risk management program (an integral part of our overall Enterprise Risk Management Program) is designed to incorporate guidance from NIST CSF and other industry best practices. Within our program, we conduct internal and external security-based activities, including reviews and assessments of our third-party service providers and vendors. Our employees receive a formal cybersecurity awareness training on an annual basis, including specific topics related to social engineering and email frauds. Detailed activities include: - Continuous Monitoring and Detection: Leveraging industry leading technologies to detect and alert on any suspicious activity across the enterprise to prevent and minimize cybersecurity attacks; - Information Security Assessments: Collaborating with internal and external partners to evaluate our data and network security; - Vulnerability Scanning and Penetration Testing: Engaging third-party service providers to assess internal and external vulnerabilities and potential threats; - Cyber Risk Register Reviews: Regularly reviewing our internal risk register to remain fully informed and prepared to address potential and identified risks; - Risk Prioritization: Prioritizing and addressing risks through our dedicated cybersecurity risk management program and cybersecurity council; - Annual Third-Party SOC Reviews: Ensuring that our financially critical service partners maintain effective internal controls, including access controls, change management, backup, and disaster recovery planning; and - Tabletop Exercises and Event Simulations: Engaging all employees across the company to build awareness, education, and enhance our cyber response posture and the collective team decision-making processes. For more information about these risks, see the risk factor titled “Our business is subject to the risk of terrorism, cyberattacks, or failure of key information technology systems,” “Breaches of our information systems could adversely affect our reputation, disrupt our operations, and result in increased costs and loss of revenue,” and “If our efforts to protect the security of personal information related to any of our customers, consumers, vendors, or employees are unsuccessful and unauthorized access to that personal information is obtained, or we experience a significant disruption in our computer systems or a cyber security breach, we could experience an adverse effect on our operations, we could be subject to costly government enforcement action and private litigation, and our reputation could suffer” under Item 1A. Governance Our Board of Directors has assigned oversight of cybersecurity risk management to the Audit Committee. The Audit Committee regularly receives reports from management, including IT leadership, and third parties on cybersecurity matters. In addition, our full Board of Directors receives reports addressing cybersecurity as part of our overall enterprise risk management program and to the extent cybersecurity matters are addressed in regular business updates. We periodically engage third-party audit and legal firms with industry-recognized expertise on cybersecurity matters to review specific aspects of our cybersecurity enterprise risk management framework and controls. IT leadership is responsible for developing appropriate cybersecurity programs, including as may be required by applicable law or regulation. This includes the coordination and creation of an Incident Response Policy, Incident Response Team, and Incident Response Plan in the event of a cybersecurity event. The AOB Incident Response policy covers our internal program and guidelines. The incident response team is composed of various stakeholders from all necessary aspects of the business, and the plan includes the steps to follow and communications necessary if/when a cybersecurity event occurs. The individual incident response team members represent expertise in IT, cybersecurity, finance, and operations that has been obtained generally from a combination of education and awareness, including relevant degrees and/or certifications, and work experience. The Director of IT has served in various roles in information technology and information security for 30 years, including serving in technical management and leadership positions in multiple verticals. The Director of IT holds undergraduate and graduate degrees in computer science and has attained several recognized network and security certifications throughout their career. The individual incident response team members are informed by their respective cybersecurity teams regarding the monitoring, prevention, detection, mitigation and remediation of cybersecurity incidents as part of the cybersecurity programs described above. Information regarding cybersecurity risks may be elevated by IT leadership through a variety of channels, including discussions between or among key leaders and our management and reports to the Company’s Board of Directors and/or certain Board committees. When a cybersecurity incident is detected, we conduct an immediate assessment, determine materiality, and take appropriate actions as described above. This process is also followed when we are notified that a supplier has a cybersecurity incident. As noted above, the Audit Committee regularly receives reports on cybersecurity matters from senior IT leadership. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.

Company Information