Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk assessment, policies and procedures

The Company is dependent on the use of technology and systems to run its operations. These technologies and systems include, among others, the Company's website and reservation system; flight planning and scheduling systems; flight dispatch and tracking systems; crew scheduling systems; baggage check-in kiosks; aircraft maintenance, planning, and record keeping systems; telecommunications systems; human resources systems; and financial planning, management, and accounting systems. The Company is committed to safeguarding these information systems and the information they hold, from unauthorized access, use, disclosure, disruption, modification or destruction.

The Company’s processes for identifying, assessing and managing material risks from cybersecurity threats (including those associated with the Company’s use of third party service providers) are incorporated into its Enterprise Risk Management ("ERM") framework, alongside other critical business risks. The teams responsible for ERM and

Information Security coordinate to review and assess these risks using a wide range of tools and services. The Company believes that integrating cybersecurity risks into its ERM framework ensures a proactive approach to cybersecurity, lessens the need for third party assistance in managing cybersecurity threats and helps safeguard the Company’s operations, financial performance and reputation.

The Company’s cybersecurity program is designed to detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. The program utilises guidance drawn from the U.S. National Institute of Standards and Technology Cybersecurity Framework to set the cybersecurity agenda and prioritise cybersecurity activities. The strategies employed by the program, among others, include:

●

the application of policies and procedures designed to comply with data security and privacy obligations;

●

the implementation of administrative, technical, and physical controls;

●

the utilisation of a Security Operations Centre that conducts ongoing monitoring of networks and systems for potential signs of suspicious activity;

●

the requirement that staff complete cybersecurity training, which is updated as new technology, security and privacy issues emerge;

●

the tracking of key performance indicators and cybersecurity metrics to evaluate existing cybersecurity controls and practices;

●

maintaining a cybersecurity incident response plan to respond to cybersecurity incidents, which includes standard processes for reporting, escalating and recommending remediation actions for cybersecurity incidents to senior management; and

●

conducting periodic simulated cybersecurity scenarios to provide hands-on training and test the preparedness of the team to deal with cybersecurity threats.

Cybersecurity Risk Management Processes Integrated [Text Block]

The Company’s processes for identifying, assessing and managing material risks from cybersecurity threats (including those associated with the Company’s use of third party service providers) are incorporated into its Enterprise Risk Management ("ERM") framework, alongside other critical business risks. The teams responsible for ERM and

Information Security coordinate to review and assess these risks using a wide range of tools and services. The Company believes that integrating cybersecurity risks into its ERM framework ensures a proactive approach to cybersecurity, lessens the need for third party assistance in managing cybersecurity threats and helps safeguard the Company’s operations, financial performance and reputation.

The Company’s cybersecurity program is designed to detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. The program utilises guidance drawn from the U.S. National Institute of Standards and Technology Cybersecurity Framework to set the cybersecurity agenda and prioritise cybersecurity activities. The strategies employed by the program, among others, include:

●

the application of policies and procedures designed to comply with data security and privacy obligations;

●

the implementation of administrative, technical, and physical controls;

●

the utilisation of a Security Operations Centre that conducts ongoing monitoring of networks and systems for potential signs of suspicious activity;

●

the requirement that staff complete cybersecurity training, which is updated as new technology, security and privacy issues emerge;

●

the tracking of key performance indicators and cybersecurity metrics to evaluate existing cybersecurity controls and practices;

●

maintaining a cybersecurity incident response plan to respond to cybersecurity incidents, which includes standard processes for reporting, escalating and recommending remediation actions for cybersecurity incidents to senior management; and

●

conducting periodic simulated cybersecurity scenarios to provide hands-on training and test the preparedness of the team to deal with cybersecurity threats.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity Governance

Board and Audit Committee

The Board is responsible for overseeing management’s assessment of major risks, including cybersecurity, facing the Company and for reviewing options to mitigate such risks. The Board’s oversight of major risks, including cybersecurity risks, occurs at both the full Board level and at the Board committee level through the Audit Committee. The Company benefits from certain Board and Audit Committee members having considerable IT, data and cyber experience.

The Audit Committee regularly receives updates on cybersecurity risks and the security and operations of the Company’s information technology systems from the Chief Technology Officer (“CTO”). These updates generally include any significant cybersecurity incidents, cybersecurity threats, cybersecurity program enhancements, and cybersecurity risks and related mitigation activities. This reporting helps to provide the Audit Committee with an informed understanding of the Company’s dynamic cybersecurity program and threat landscape. The Audit Committee also receives an ERM framework twice a year, in which material cybersecurity risks are identified, assessed and managed.

The Audit Committee has opportunities to report regularly to the Board and review any major issues that arise at the committee level, which may include cybersecurity risks. Senior Management (including the CTO) also brief Board members, including new members, on cybersecurity risks. Based on this information, Board members may request additional information to address any concerns.

Management

The Company has a dedicated cybersecurity organization within its technology department that focuses on current and emerging cybersecurity matters. The Company’s cybersecurity function is led by the Head of Information Security, who reports to the CTO.

The Company’s cybersecurity function engages in a range of cybersecurity activities such as threat detection, security mechanisms, and incident response. The cybersecurity function conducts vulnerability management and penetration testing to identify and mitigate vulnerabilities. Regular meetings are held with the Head of Information Security and the CTO to provide visibility of major issues and seek alignment with strategy. As noted in the “Risk assessment, policies and procedures” section above, the Company’s cybersecurity incident response plan includes standard processes for reporting, escalating and recommending remediation actions for cybersecurity incidents to Senior Management. Cybersecurity incidents that meet certain thresholds are escalated to the cybersecurity leaders and cross-functional teams on an as-needed basis for support and guidance.

The Head of Information Security has approximately 30 years of IT experience across manufacturing, banking and aviation, including 13 years of cybersecurity experience. He holds the following relevant qualifications:

●

BSc Information Technology

●

CISSP (Certified Information Systems Security Professional)

●

CISM (Certified Information Security Manager)

●

CEH (Certified Ethical Hacker)

For details of the CTO’s experience, please see “Item 6. Directors, Senior Management and Employees — Senior Management”.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee regularly receives updates on cybersecurity risks and the security and operations of the Company’s information technology systems from the Chief Technology Officer (“CTO”). These updates generally include any significant cybersecurity incidents, cybersecurity threats, cybersecurity program enhancements, and cybersecurity risks and related mitigation activities. This reporting helps to provide the Audit Committee with an informed understanding of the Company’s dynamic cybersecurity program and threat landscape. The Audit Committee also receives an ERM framework twice a year, in which material cybersecurity risks are identified, assessed and managed.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The Head of Information Security has approximately 30 years of IT experience across manufacturing, banking and aviation, including 13 years of cybersecurity experience. He holds the following relevant qualifications:

●

BSc Information Technology

●

CISSP (Certified Information Systems Security Professional)

●

CISM (Certified Information Security Manager)

●

CEH (Certified Ethical Hacker)

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true