Archer Aviation Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Archer Aviation Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 17:12:26 EST.

Filings

10-K filed on 2026-03-02

Archer Aviation Inc. filed a 10-K at 2026-03-02 17:12:26 EST
Accession Number: 0001824502-26-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We understand the importance of maintaining an active cybersecurity risk management and strategy program. As an emerging technology company, we understand that we may face cyber threats that range from common cyberattacks, such as ransomware, to more advanced attacks such as advanced persistent threats perpetrated by nation-state actors and other highly organized actors. Our cybersecurity risk management program is guided by industry standards, such as the National Institute of Standards and Technology ("NIST"). We strategically partner with industry leading external vendors to perform cybersecurity assessments, as well as regular penetration testing to better understand our potential vulnerabilities, threat vectors, and impact on critical assets or operations. As part of these processes, our cybersecurity team identifies and prioritizes risks to devise our annual cybersecurity mitigation strategy and address operational risks. Our cybersecurity program is organized around the following key areas: Risk Management and Strategy We maintain a cybersecurity risk management program to assess, identify, and address significant cybersecurity risks, incorporating them into our broader enterprise risk management processes. Our program is guided by recognized industry standards and is designed to be risk-based and adaptable as our business, technology, and threat landscape evolve. We rely on a combination of internal resources and, when appropriate, third-party service providers to support activities such as security assessments, vulnerability detection, and testing. Key elements of our cybersecurity program include: - Risk assessment and prioritization processes aim to identify cybersecurity risks, including those related to third-party service providers , and to facilitate remediation planning and tracking. - Employee security awareness and training are designed to improve cybersecurity hygiene and help employees recognize and report suspected threats, such as phishing and social engineering. - Technical and administrative safeguards to minimize the likelihood and impact of cybersecurity incidents, including endpoint security, identity and access management, and network protection. - Monitoring and detection practices, including the use of security tooling and, when appropriate, third-party services, are designed to help identify indicators of compromise and support response activities. - Incident response processes designed to support investigation, containment, remediation, recovery, and escalation, including consideration of cybersecurity incident materiality and related disclosure requirements. Cybersecurity Service Providers and Third-party Consultants . In addition to our internal cybersecurity team, we engage cybersecurity consultants and other third parties to assess and enhance our information security practices. These third parties conduct assessments, penetration testing, and vulnerability assessments to identify weaknesses and recommend improvements. We also utilize third-party tools and technologies to support our efforts to enhance our cybersecurity functions. Governance The Audit Committee of our Board of Directors provides oversight of cybersecurity risks and receives updates from management on cybersecurity matters. The Chief Information Security Officer ("CISO") and management team are responsible for the day-to-day operation of our cybersecurity program, including assessing and managing material risks from cybersecurity threats and reporting relevant matters to the Audit Committee and, as appropriate, the full Board. We may engage third-party service providers and consultants to assist with aspects of our cybersecurity program, and management oversees these relationships consistent with our risk management practices. In 2025, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. For additional discussion of cybersecurity risks, see the section entitled "Risk Factors - Our business and reputation are impacted by information technology system failures and network disruptions."

Company Information