TECOGEN INC. 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

TECOGEN INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 13:19:42 EDT.

Filings

10-K filed on 2024-03-25

TECOGEN INC. filed an 10-K at 2024-03-25 13:19:42 EDT
Accession Number: 0001537435-24-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management Strategy Our business is dependent upon our information technology ( IT ) systems, devices and networks to collect, process and store the data necessary to conduct our business and record and report our business and financial information. We recognize the importance of developing, implementing, and maintaining effective cybersecurity measures to safeguard our IT systems and protect the confidentiality, integrity, and availability of our confidential and personal data, including with respect to our customers, suppliers, and employees, as well as our intellectual property. 23 TECOGEN INC. Table of Contents We maintain a cybersecurity risk management program to identify, assess, manage, mitigate, and respond to cybersecurity threats. Our cybersecurity risk management program incorporates various mechanisms to detect and monitor unusual network activity, as well as containment and incident response tools. We monitor issues that are internally discovered or externally reported that may affect our business and have processes to assess those issues for potential cybersecurity impact or risk. We have integrated our cybersecurity risk management program into our broader enterprise risk management program. This integration is designed to make cybersecurity considerations an integral part of our decision-making processes at every level and we believe that this integration allows cybersecurity risks to be evaluated and addressed in alignment with our business objectives and operational needs. While we work to maintain our information security program and risk management efforts, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to our systems, networks, and data or those of our third-party providers. We rely on suppliers that are also exposed to ransomware and other malicious attacks that can disrupt business operations. Although we take steps to secure confidential information that is provided to or accessible by third parties, such measures may not always be effective and losses or unauthorized access to, or releases of, confidential information occur. Such incidents and other malicious attacks could materially adversely affect our business, reputation, results of operations and financial condition. We have experienced malicious attacks and other attempts to gain unauthorized access to our systems, including a ransomware attack on our computer network which occurred on April 28, 2023. Following remediation, our network returned to full operation on May 1, 2023. We have engaged a third-party consultant in connection with our risk management and assessment processes. Our consultant assists us in the design and implementation of our cybersecurity policies and procedures, as well as the monitoring and testing of our safeguards. In the event of an incident, our incident response plan outlines the steps to be followed from incident detection to mitigation, recovery and notification, and involves notifying senior management, our legal department, and the board of directors and/or our audit committee, if appropriate, and mitigation and remediation steps by our third-party consultant. Governance Our board of directors has overall responsibility for informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure. Our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors has delegated to our audit committee its cybersecurity risk oversight processes, including oversight and mitigation of risks from cybersecurity threats. Our audit committee receives periodic reports from management regarding our cybersecurity risks and is notified of any significant cybersecurity threat or incident. The audit committee reports to the board of directors regarding its activities, including with respect to cybersecurity matters and the occurrence of any material cybersecurity incident, if appropriate. We have engaged a third-party consultant to manage risks associated with network protection and workstation management. Our consultant performs an annual assessment of our cybersecurity risk policies and procedures.

Company Information