Benson Hill, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

Benson Hill, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 17:32:08 EDT.

Filings

10-K filed on 2024-03-14

Benson Hill, Inc. filed an 10-K at 2024-03-14 17:32:08 EDT
Accession Number: 0001830210-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have an Information Security Program, which is focused on assessing, identifying, and managing cyber risk and information security threats. We leverage the U.S. Department of Commerce s National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( Framework ) as the foundation of our Information Security Program. The NIST Framework provides standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk and is 33 Table of Contents designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders. In the ordinary course of our business, we collect and store confidential data, including intellectual property, proprietary business information and personally identifiable information (including of our employees, customers, suppliers and business partners). We rely extensively on information technology systems, including some systems that are managed by third-party service providers, to securely process, store and transmit such confidential data in order to conduct our business. These systems include programs and processes relating to internal and external communications, ordering and managing materials from suppliers, collecting, processing and storing data from other research and development initiatives, shipping products to customers, processing transactions, processing payments to employees and vendors, calculating sales receivables, generating our financial results for each reporting period, summarizing and reporting results of operations, and complying with information technology security compliance and other regulatory, legal or tax requirements. We carry insurance that provides protection against the potential losses arising from a cybersecurity incident. However, there is no assurance that our insurance coverage will cover or be sufficient to cover all losses or claims that may result from a cybersecurity incident. To proactively manage cybersecurity risk in our organization, we have an Information Technology Security Policy that is available to all employees on our intranet. We also conduct regular cybersecurity awareness and training campaigns for our employees. Internal and external stakeholders can access our 24/7 helpline online or by phone to report any security incidents for escalation. To proactively identify, mitigate, and prepare for potential cybersecurity incidents, we maintain a cyber incident response plan. We periodically conduct internal and external phishing attack simulation exercises involving employees at all levels of the organization. We also periodically engage independent, third-party consultants to conduct periodic audits of our systems, and test our information technology infrastructure. Through these channels as well as through regular internal, external, and cloud vulnerability scanning, we work to proactively identify potential vulnerabilities in our Information Security system. We recognize that we are exposed to cybersecurity threats associated with our use of third-party service providers. We strive to minimize cybersecurity risks when we first select or renew a vendor by including cybersecurity risk as part of our overall vendor evaluation and due diligence process. We have not been materially impacted by risks from cybersecurity threats and as of the date of this report, we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, our systems and networks have been, and are expected to continue to be, the target of increasingly advanced and evolving cyber-attacks and cybersecurity incidents in the future which may adversely impact our business, financial condition and results of operations, and we are continuing to actively monitor such threats. For more information, see our risks associated with cybersecurity threats under Risk Factors in this report. Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated oversight of cybersecurity and other information technology risks to our Audit and Risk Committee. The oversight of our cybersecurity program at the management level has been delegated to our CFO to oversee our Company s Information Security programs and investments. Our Senior Director, IT reports to our CFO and oversees our Information Security Program. Our Senior Director, IT along with our CISSP-certified Director of Cybersecurity, Infrastructure and Operations, leads and executes on our cybersecurity program and provides regular updates to our management team, including the CEO, on our cybersecurity program and cybersecurity risks. Our Senior Director, IT and CFO also provide quarterly reports to our Audit and Risk Committee internal identification, prevention, detection, mitigation and remediation of cybersecurity risks and incidents. With respect to specific incidents, we leverage an incident response framework to elevate and evaluate specific incidents to the incident response team. In the event of a potentially material cybersecurity incident, our Audit and Risk Committee would be immediately notified and briefed.

Company Information