AAR CORP 10-K Cybersecurity GRC - 2025-07-21

Page last updated on September 8, 2025

AAR CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-07-21 21:46:43 EDT.

Filings

10-K filed on 2025-07-21

AAR CORP filed a 10-K at 2025-07-21 21:46:43 EDT
Accession Number: 0001410578-25-001475

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We face many cybersecurity threats including ransomware, denial-of-service attacks, business email compromise, and persistent threats from state-affiliated groups. We have experienced cyber-attacks in the past and may experience cybersecurity incidents in the future. While prior incidents have not materially affected our business , results of operations or financial condition, there is no guarantee that a future cyber threat or cyber incident would not affect our business strategy, results of operations or financial condition. See Item 1A. Risk Factors for more information on our cybersecurity risks. Risk Management and Strategy We maintain documented information security policies and standards to protect operations, assets, data and services and to defend against, respond to and recover from potential cyberattacks. Our cybersecurity strategy and risk management processes use the National Institute of Standards and Technology governance requirements and cybersecurity framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our approach to cybersecurity risk management includes multiple complementary elements to mitigate our cybersecurity risks. We utilize multi-layered defenses to help prevent attacks including the use of data analytics to help detect anomalies and search for cyber threats. We have comprehensive cyber threat detection and response capabilities with applied threat intelligence, and continuous monitoring to complement other technology, processes and threat detection techniques we have in place. We subscribe to third-party managed security services that continuously monitor our systems and networks to assist with early cybersecurity threat detection and protection. We work with government, customer, industry and/or supplier partners to gather and develop policies and standards and share information to address cyber threats. We conduct information security assessments of partners before sharing or allowing the hosting of data in computing environments managed by third parties. We require our employees to complete phishing and other awareness training to help identify, avoid and mitigate cybersecurity threats. While our primary focus is on prevention and detection of cybersecurity threats, we have response and recovery plans in effect, as well as service agreements with outside experts should there be a need for us to respond to an attack. We have adopted a cybersecurity incident response plan that provides direction and a defined approach for preparing for, identifying and responding to cybersecurity incidents that may pose a potential threat to our information systems, networks and data. The detailed plan defines the roles and responsibilities of all parties included in our cybersecurity incident response team which incorporates our IT team, senior management, and other functional areas. We also have controls and procedures for reporting material cybersecurity incidents, including review of significant cybersecurity incidents by a cross-functional team to determine whether further escalation is necessary. We also periodically conduct practice exercises with management to familiarize the management team with our cyber incident response capabilities and processes. We also conduct internal and third-party assessments or penetration tests to validate our cybersecurity controls and improve our security posture. We also maintain cybersecurity liability insurance coverage. Our Chief Information Security Officer (“CISO”) partners with management in internal functions, such as finance, legal, and internal audit, in overseeing information security risks, as well as third-party consultants who perform risk-based assessments with recommendations for designing, implementing, executing, monitoring, and improving our cybersecurity risk management program and strategies, which helps align our programs and strategies with our business and operational objectives. Results of third-party assessments are shared with the Audit Committee and the Board of Directors. Governance To facilitate the prevention, detection and timely response to information security threats, we have a dedicated CISO whose team is responsible for managing our information security strategy, policies, standards, and processes. The information security team provides security monitoring and response and provides regular reports to the CISO to inform about and monitor the prevention, detection, mitigation and remediation of cybersecurity risks. The CISO, who also serves as our data protection officer, reports directly to our Chief Digital & Technology Officer (“CDTO”), who reports directly to our Chairman, President and Chief Executive Officer. Our CISO and CDTO have extensive experience and expertise in developing, implementing, and operating security policies and procedures covering our network and critical data. Our CISO has 35 years of experience in information technology systems and is a 25-year military veteran of the U.S. Navy and Navy Reserves with a Top Secret/Sensitive Compartmented Information (TS/SCI) U.S. security clearance and multiple combat deployments in information warfare. Additionally, our CISO holds several certifications, including, among others, the following security certifications: Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Network Defense Analyst (CNDA), Disaster Recovery Institute International (DRII), and CompTIA - Network+ and Security+. Our CDTO has over 25 years of leadership experience across all aspects of technology-enabled digital transformations, including leading multiple transformations at a major airline prior to his role at AAR. He previously advised companies across multiple industries in collaboratively developing and executing their digital and technology roadmaps as a consultant at a major firm. The CDTO and CISO regularly review cybersecurity matters with members of our senior management. These discussions include the latest cybersecurity risks and threats, the status of our cybersecurity incident response plan, and our overall process relating to the prevention, detection, mitigation and remediation of cybersecurity incidents. Our Board of Directors, through its Audit Committee , is responsible for overseeing our cybersecurity risk management. On a regular basis, the Board of Directors or Audit Committee receive and review reports from the CDTO and CISO relating to the status of cybersecurity planning and protections, the overall state of our cybersecurity program, emerging cybersecurity developments and threats, and our strategy to mitigate cybersecurity risks .

Company Information