EVgo Inc. 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

EVgo Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 16:15:58 EST.

Filings

10-K filed on 2024-03-06

EVgo Inc. filed an 10-K at 2024-03-06 16:15:58 EST
Accession Number: 0001558370-24-002608

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management, Strategy and Governance. Risk Management and Strategy The Company maintains a cybersecurity risk management program designed to mitigate cybersecurity risks through a comprehensive framework that integrates cybersecurity into the Company s overall risk management processes. Risk Assessment . The Company s internal cybersecurity team conducts regular assessments designed to identify vulnerabilities within the Company s systems and processes. These assessments are part of the Company s ongoing risk management strategy and inform strategic decisions regarding security investments and policy developments. The internal risk assessment process includes periodic reviews of the Company s charging infrastructure, software applications and operational procedures against best practices and address current and potential threats. To augment the Company s internal efforts, the Company engages third parties to conduct independent assessments of the Company s cybersecurity posture. These external assessments provide an objective review of the Company s security controls, breach readiness and compliance with industry standards and regulations. The insights gained from these audits inform refinements to the Company s risk management strategies with respect to cybersecurity-related threats. Cybersecurity Policies and Procedures . The Company maintains a set of cybersecurity policies and procedures that are regularly reviewed and updated. These policies are crafted in accordance with the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, which provides a policy foundation for critical infrastructure security. These policies govern the Company s cybersecurity program, including but not limited to access control, system development life cycle management, change management, and incident response. Monitoring Controls . In addition to the Company s cybersecurity policies and procedures, the Company places a significant emphasis on monitoring controls as a critical component of its cybersecurity strategy. These controls are designed to enable the Company to consistently oversee and evaluate the effectiveness of the Company s cybersecurity measures to help ensure prompt detection of and response to potential threats or anomalies. The Company maintains a continuous monitoring strategy that utilizes advanced tools and technologies to oversee the Company s network infrastructure and digital assets. This includes data loss prevention controls, system log reviews and 58 Table of Contents unusual activities that could indicate a potential security breach. Automated alert systems deployed as part of the Company s monitoring controls are designed to enable rapid identification and escalation of suspicious activities. These systems are configured to detect a range of cyber threats, from malware infections to unauthorized access attempts. Cyber Incident Response and Reporting . The Company s Security Incident Response Policy is designed to enable prompt and effective action in the event of a cybersecurity incident to safeguard the Company s information technology systems, customer data and overall business operations. The Company is cognizant of the ever-evolving landscape of cybersecurity threats and their potential to materially impact the Company s operations. To date, the Company does not believe that it has experienced any cybersecurity incidents that have had a material adverse effect on the Company s business strategy, operations or financial condition. However, the Company recognizes that cybersecurity threats are a significant risk factor for any organization, especially those involved in digital infrastructure. See Part I, Item 1A, Risk Factors, for further discussion. Detection and Analysis . Under the Security Incident Response Policy, all EVgo employees and other personnel are responsible for reporting any known, suspected or possible security events, including those that may have originated with a third-party service provider, to the Company s Information Security Department, which promptly notifies the Company s President, who serves as the Company s Information Security Coordinator. The Information Security Coordinator reviews the initial facts and findings regarding any security events, provides direction to the Information Security Department regarding any additional information that should be obtained, and convenes a meeting of the Company s Security Incident Response Team (the SIRT ) to review the matter, including to determine if the event could constitute a security incident. The SIRT is composed of employees with expertise in various aspects of EVgo s operations including information security, information technology, DevOps, legal, and EVSE engineering, as well as senior leaders, including EVgo s President, Chief Financial Officer and Chief Legal Officer. Materiality Assessment, Mitigation and Reporting . Under the Company s Security Incident Response Policy, the SIRT, under the leadership of the Information Security Coordinator, is responsible for promptly assessing the materiality of security events, developing the Company s response to such events and, if a security event is determined to be a material incident, to oversee the Company s disclosures regarding the incident as required by the rule adopted by the SEC related to cybersecurity disclosures. In determining whether a security event could constitute a security incident, the SIRT considers all facts and known information, including (without limitation) the potential harm to customers, employees and other parties; possible effects on the Company s operations, financial statements, brand perception, reputation, customer or vendor relationships and competitiveness; the risk of fraud, extortion or intellectual property theft; litigation, regulatory and other legal risk; and other potential impacts. The Chair of the Audit Committee is informed of the SIRT s review of cybersecurity events and its determinations as to the materiality of such events. The Security Incident Response Policy also includes procedures for the SIRT to coordinate the containment, eradication, mitigation, recovery and remediation related to security events and security incidents and the implementation of procedures and actions designed to prevent additional security events in the future. The Company also conducts regular cybersecurity training for employees to ensure they are aware of potential cybersecurity threats and understand the role they play in maintaining the Company s defenses. The Company also monitors evolving regulations and standards to ensure that the Company s practices align with industry best practices and legal and regulatory obligations. Governance Board Oversight of Cybersecurity . The Audit Committee of the Company s Board of Directors (the Audit Committee ), acting pursuant to authority delegated by the full Board of Directors, actively oversees the Company s cybersecurity strategy and risks from cybersecurity threats, as well as the Company s broader enterprise risk management framework. The Company s management-level Enterprise Risk Committee meets regularly to review the Company s risk profile and develop mitigation strategies with respect to those risks. The Audit Committee reviews the enterprise risk matrix prepared by the Enterprise Risk Committee on an annual basis. Board s Oversight Role . The Audit Committee reviews and assesses the Company s risk management program and cybersecurity activities and strategy to help align with the Company s business objectives and compliance with legal and 59 Table of Contents regulatory standards. These updates include reviews of new or evolving cybersecurity threats, the Company s cybersecurity measures, the results of recent third-party security audits, and assessments and oversight of any recent cybersecurity events with certain characteristics that may have occurred. This oversight role includes evaluating the effectiveness of policies and procedures designed to protect Company assets and sensitive customer information from cyber threats. The Chair of the Audit Committee regularly reports on the Audit Committee s oversight activities related to enterprise risk management and cybersecurity to the full Board of Directors. The Information Security Coordinator promptly notifies the Chair of the Audit Committee of any security events reviewed by the SIRT, the SIRT s determination of whether a security event is reportable on Form 8-K pursuant to the SEC Cyber Rule and the factors underlying that determination. If the SIRT determines that a cybersecurity incident is likely material and therefore reportable on Form 8-K, a draft of the Form 8-K will be provided to the Audit Committee for review and comment prior to the Company filing the Form 8-K within the deadline specified by the SEC Cyber Rule. The Audit Committee s active engagement with and oversight of the Company s cybersecurity program helps foster a culture of security awareness throughout the Company.

Company Information