Bloom Energy Corp 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

Bloom Energy Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 16:04:22 EST.

Filings

10-K filed on 2024-02-15

Bloom Energy Corp filed an 10-K at 2024-02-15 16:04:22 EST
Accession Number: 0001628280-24-005035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, or availability of our information technology systems or any information residing therein. Our cybersecurity risk management program includes a cybersecurity incident response plan. We design and assess our program based on the Center for Internet Security ( CIS ) 18 Framework. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the CIS 18 Framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes: Periodic risk assessments are designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment. 42 Table of Contents Index to Financial Statements A security team principally responsible for managing our cybersecurity risk assessment processes, security controls, and response to cybersecurity incidents. The use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security controls. Our Internal Audit department which monitors certain IT systems controls that are integrated into our larger Sarbanes-Oxley control environment. Periodic cybersecurity awareness training for our employees and contractors with access to our information technology systems. A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents, including incidents that could be indicators of attack against availability, integrity and confidentiality of information systems. A third-party risk management process for service providers, suppliers, and vendors that includes examining their security postures and assessing their data and system protection controls. Our business has not been materially affected by cybersecurity incidents to date. For a discussion of how cybersecurity risks could materially affect us in the future, please see the risk factors set forth under the caption Part I, Item 1A, Risk Factors Risks Related to our Operations . Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit and Risk Committee (the Audit Committee ) oversight of cybersecurity and other information technology risks. The Audit Committee oversees management s implementation of our cybersecurity risk management program. The Board receives periodic reports from the Audit Committee on these and other activities. The Audit Committee receives periodic reports from management on our cybersecurity risks, including presentations from our Chief Information Officer, internal security staff, and external experts. This includes updates to the Audit Committee, as appropriate, regarding any significant cybersecurity incidents, or multiple incidents that could be significant in the aggregate. These updates may occur in between regularly scheduled Audit Committee meetings. At the management level, the Enterprise and Risk Management Committee (the ERM Committee ) discusses cybersecurity topics, including any potentially material cybersecurity incidents, as part of its oversight of the company s significant risks. Our management team, including the Chief Information Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including: periodic briefings from internal security personnel; periodic reviews of risk management measures implemented to prevent, detect, mitigate, and remediate cybersecurity risks and incidents, including our incident response plan; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and periodic reports produced by security tools deployed in our IT environment. Our Chief Information Officer has more than 20 years of cybersecurity and information technology experience and she has served as the Chief Information Officer for multiple technology companies. Similarly, the members of the ERM Committee possess significant risk management experience obtained by their collective years of experience at Bloom and other companies of similar or greater complexity. 43 Table of Contents Index to Financial Statements

Company Information