Workhorse Group Inc. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

Workhorse Group Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 08:48:02 EDT.

Filings

10-K filed on 2024-03-12

Workhorse Group Inc. filed an 10-K at 2024-03-12 08:48:02 EDT
Accession Number: 0001425287-24-000068

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We utilize an internal cross-departmental approach to addressing cybersecurity risk, including input from employees, Senior Management, and our Board of Directors. A cross functional Senior Management Cybersecurity Steering Committee devotes resources to cybersecurity and risk management to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our cybersecurity risk management program is based on the National Institute of Standards and Technology ( NIST ) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond, and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection, and mitigation. Our information technology ( IT ) team reviews enterprise risk management-level cybersecurity risks annually, and risks are incorporated into the Enterprise Risk Management Committee framework. In addition, we have a set of Company-wide policies and procedures concerning cybersecurity matters, which include several IT Security policies as well as other policies that directly or indirectly relate to cybersecurity, which address topics related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email, and networked devices. These policies go through an internal review process and are approved by appropriate members of management. The Company s Director of Cybersecurity in cooperation with the Chief Information Officer is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Company s internal Cybersecurity Steering Committee. Our Director of Cybersecurity has over 20 years of experience leading cybersecurity oversight and holds cybersecurity certifications such as the CISSP ( Certified Information Systems Security Professional ). We periodically perform simulations to test employees and provide any necessary remedial training. All employees are required to complete cybersecurity training at least once a year and have access to more frequent cybersecurity training online. We may also require employees in certain roles to complete additional role-based, specialized cybersecurity training. We continue to expand investments in IT security, taking a multi-layered security approach, which includes additional end-user training, improving security defenses, network segmentation, identifying and protecting critical assets, strengthening monitoring, and alerting, and leveraging industry experts where available. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT security team monitors alerts and meets to discuss threat levels, trends, and remediation. Our IT team also regularly collects data on cybersecurity threats and risk areas and conducts a periodic risk assessment. Further, we conduct external penetration tests and maturity testing to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. Our Internal Audit team conducts an annual review of third-party hosted applications with a specific focus on any sensitive data shared with third parties. In collaboration with our Internal Audit team, the internal business owners of the hosted applications are required to document user access reviews at least annually and provide from the vendor a System and Organization Controls ( SOC ) 1 or SOC 2 report. 19 The Audit Committee and the Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks. The Audit Committee s semi-annual cybersecurity review also includes review of recent enhancements to the Company s defenses and management s progress on its cybersecurity strategic roadmap. In addition, the Cybersecurity Steering Committee receives quarterly cybersecurity reports, which include a review of key performance indicators, test results and related remediation, and may discuss recent threats and how the Company is managing those threats. We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to our data and systems, including malware, phishing, and other types of cyber-attacks. For more information about the cybersecurity risks we face, see the risk factors described in Part I, Item 1A, Risk Factors in this Annual Report on Form 10-K.

Company Information