Cybersecurity Policy Statement
The safety and security of our customers and team members is American’s top priority. This includes working to put in place the appropriate administrative, physical and technical cybersecurity safeguards to protect our assets that keep our operation running and store the personal data in our care.
Cybersecurity framework
To further this objective, American has created an integrated cybersecurity framework using various National Institute of Standards and Technology (NIST) security standards, guidelines and best practices. The goal of this framework is to identify and mitigate cybersecurity risks, protect American’s assets, and detect, respond and recover from cybersecurity incidents when they occur. We engage external cybersecurity experts to evaluate our cybersecurity program capabilities against this framework. We use these assessments, and the results of internal audits, to improve our capabilities.
Dedicated cybersecurity team
American has a dedicated cybersecurity team responsible for implementing and maintaining our program, which includes team members responsible for cybersecurity incident response and vulnerability management. This team is led by our Chief Information Security Officer, who reports directly to our Chief Digital and Information Officer, who reports directly to our Chief Executive Officer.
Cybersecurity program
As a part of our cybersecurity program, using internal and third-party industry experts, we scan and test our environment for vulnerabilities and weaknesses, and we have a process in place to remediate identified issues based on the threat levels that we believe they represent. We also maintain a responsible disclosure program for external parties to report any potential security concerns. In addition, our cybersecurity team carries out tabletop exercises to help prepare for and respond to incidents. In the event of an incident, we respond consistent with our incident response plans to mitigate information security risks and adhere to applicable law.
Cybersecurity oversight
American works to promote cybersecurity awareness. At the Board level, our Audit Committee is primarily responsible for oversight of cybersecurity risk and receives quarterly updates about our cybersecurity program and related risks. At the management level, the Executive Cyber Risk Group and our Disclosure Committee receives regular updates regarding the security risk posture of our information technology assets.
Cybersecurity awareness
At the team member level, we have a mandatory data security awareness training program focused on education about cybersecurity risk based on our internal policies and procedures related to cybersecurity, privacy and compliance. In addition, team members receive quarterly communications about cybersecurity awareness, and business units have a designated cybersecurity focused resource to help business units learn about and incorporate cyber resiliency into their day-to-day practices. Throughout the year, we also run cybersecurity education campaigns, including, for example, testing our team members with phishing messages, to assess and build appropriate cyber behaviors across our organization.