Hyliion Holdings Corp. 10-K Cybersecurity GRC - 2024-02-13

Page last updated on April 11, 2024

Hyliion Holdings Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-13 16:43:47 EST.

Filings

10-K filed on 2024-02-13

Hyliion Holdings Corp. filed an 10-K at 2024-02-13 16:43:47 EST
Accession Number: 0001759631-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We understand the critical importance of cybersecurity and proactively manage vulnerabilities to ensure the confidentiality, integrity, and availability of our information assets. While we have not experienced any material risks from cybersecurity incidents or threats to date, we recognize the evolving threat landscape and remain vigilant in our security posture. Risk Management and Strategy Our cybersecurity risk management program leverages the National Institute of Standards and Technology ( NIST ) 800-37 framework as a foundation, customized to align with our entity size, risk profile, and industry best practices. We believe that 17 Table of Contents leveraging the NIST framework as a foundation ensures a balanced approach for mitigating vulnerabilities while maintaining operational efficiency. We maintain a comprehensive incident response plan with clearly defined roles and responsibilities. In the event of an incident, the plan outlines notification procedures, containment measures, eradication steps, and recovery processes. We also conduct annual reviews to ensure the plan’s effectiveness. We are currently conducting our annual cybersecurity assessment with the help of third-party specialists, which is expected to be completed in the first quarter of 2024. This assessment covers entity-level controls, threat management, and reviews of critical third-party security measures. Materiality of individual cybersecurity incidents is determined by a comprehensive assessment framework considering, but not limited to, the following factors: Impact on Business Operations: Potential disruptions to critical systems, services, or financial transactions. Data Sensitivity: The nature and sensitivity of the data involved, with incidents concerning personally identifiable information or highly confidential data deemed more material. Regulatory Compliance: Potential violations of cybersecurity laws, regulations, or industry standards. Reputational Risk: Harm to the Company’s reputation, customer trust, and brand value. Legal Obligations: Legal requirements for reporting incidents and potential consequences of non-compliance. Identification, Assessment, and Reporting of Cybersecurity Threats We employ a multi-layered approach to identify, assess, and report potential cybersecurity threats: Threat intelligence tracking: We actively monitor relevant-threat intelligence feeds and industry best practices to stay informed about emerging threats and vulnerabilities. Managed Detection and Response ( MDR ) partnership: We have partnered with a reputable third-party MDR provider to enhance our threat detection and response capabilities. This service provides continuous monitoring, analysis, and proactive response to potential threats, ensuring timely identification and mitigation of cybersecurity incidents. Metrics and Measurements: We capture telemetry from our IT infrastructure in order to measure the effectiveness of our security controls and identify areas for improvement. Third-Party Service Providers We take security seriously when choosing and working with third-party providers and have established processes to oversee and manage risks associated with third-party service providers. We require providers to share their security reports (System and Organization Controls ( SOC ) 1 and SOC 2) prior to initial engagement and ongoing on an annual basis. We believe that the review of such reports helps us minimize the risk of data breaches or other problems resulting due to our third-party relationships, especially with software-as-a-service ( SaaS ) providers. Reporting We have a communication process for incidents based on their severity as outlined in our incident response plan. When a major incident is detected, executive leadership is informed within 24 hours. The audit committee and Chief Financial Officer are notified, and a detailed report is submitted, within 24-48 hours. For moderate incidents, the notification timeframe is 72 hours, and the detailed report is submitted to the audit committee within five to seven days. If a cybersecurity incident is deemed material, it will be reported promptly under SEC guidance. Management and Board of Director Oversight of Cybersecurity Threats The Company’s Chief Financial Officer and the audit committee of the Board has responsibility for the oversight of cybersecurity threats and incidents and reviews the Company s programs and policies on an annual basis. The Company s Chief Financial Officer has prior management experience in overseeing technology infrastructure and cybersecurity.

Company Information