Li-Cycle Holdings Corp. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Li-Cycle Holdings Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 17:02:48 EDT.

Filings

10-K filed on 2024-03-15

Li-Cycle Holdings Corp. filed an 10-K at 2024-03-15 17:02:48 EDT
Accession Number: 0001628280-24-011518

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Information Security Risk Management and Strategy The Company is committed to developing robust governance and oversight of cybersecurity risks and to implementing processes, controls and technologies designed to help assess, identify, and manage material risks. As described further in Information and Security and Governance Oversight below, the Vice President of IT is responsible for Li-Cycle s information security program and as part of its broader risk oversight, the Board of Directors of the Company oversees risks from information security threats both directly and through the Audit Committee of the Board of Directors of the Company. Our information technology ( IT ), infrastructure, applications, and networks are susceptible to potential impacts due to the escalating sophistication and frequency of cyber-attacks and security incidents. Breaches in our technology systems, whether from circumventing security measures, denial-of-service attacks, hacking, phishing, computer viruses, ransomware, malware, employee errors, malfeasance, social engineering, vendor software supply chain compromises, physical breaches, or other actions, have the potential to compromise the confidentiality, availability, and integrity of crucial information. Such incidents may cause interruptions or malfunctions in our manufacturing systems, applications, and data processing, thereby disrupting other business operations. Additionally, critical information associated with our business operations is managed by some of our third-party vendors. Anticipating or preventing all cyber-attacks requires an ever-present focus. A cyber-attack or a security incident leading to a breach could disrupt our business operations, harm our reputation, necessitate compliance with data breach notification laws, and subject us to litigation, regulatory investigation, or other liabilities under laws, regulations, and contractual obligations. This could result in increased costs, significant legal and financial exposure, and reputational damage. We invest in information security and data privacy measures to safeguard our systems and data. This includes organizational investments, incident response plans, technical defenses, and employee training. We also utilize a third party to conduct vulnerability scans. Our approach to cyber-security risk management is designed to identify, assess, prioritize and manage major risk exposures that could affect our ability to execute our corporate strategy and fulfill our business objectives. For instance, we utilize our existing information security measures to oversee operational landscapes, address suspicious events, and generate necessary reports shared during our monthly meetings. Additionally, as deemed necessary, 49 Table of Content s we request third-party service providers to furnish System and Organization Controls ( SOC ) reports. Simultaneously, we are in the process of revising and formulating new IT policies, standards, and procedures in harmony with the National Institute of Standards and Technology Cybersecurity framework. In 2023, we launched an ongoing enterprise-wide communication initiative focused on cyber threats, which aims to educate Li-Cycle employees on recognizing and responding to potential cyber threats effectively, and serves as a reminder of the critical role each individual plays in ensuring the safety of our organization. We maintain the availability of cybersecurity consultants as required and regularly conduct vulnerability scans within our environment to identify areas for ongoing enhancements. Additionally, our IT General Controls (ITGC) undergo audits, encompassing processes that overlap with cybersecurity concerns such as access control, permissions, and robust password management. The insights derived from these and other assessments guide us in refining our information security practices, procedures, and technologies. Information Security and Governance Oversight The Vice President of IT is responsible for Li-Cycle’s information security program. In this capacity, the executive oversees the enterprise-wide cybersecurity strategy, ensuring the development of policies and standards, the implementation of processes, and the management of architectural elements. The Vice President of IT is responsible for assessing and managing material risks from cybersecurity threats, and is supported in delivering this function with a dedicated internal IT team. The Vice President of IT has over eight years of leadership experience as a Chief Information Officer and Chief Technology Officer, with experience overseeing information security, risk management, and compliance functions. The Cybersecurity Steering Committee convenes no less than quarterly to evaluate and address significant risks stemming from cybersecurity threats. Additionally, as part of its broader risk oversight, the Board of Directors of the Company oversees risks from information security threats both directly and through the Audit Committee of the Board of Directors of the Company. As reflected in its charter, the Audit Committee is required to periodically review and receive reports from management regarding risks and exposures related to information technology and cyber security. The Vice President of IT submits reports to the Audit Committee and other senior management members as appropriate. These reports provide insights into the evolving threat landscape, updates on the organization’s cyber risks and threats, evaluations of the information security program, and the status of initiatives aimed at improving the information security program and its systems.

Company Information