Fisker Inc./DE 10-K Cybersecurity GRC - 2024-04-22

Page last updated on April 23, 2024

Fisker Inc./DE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-22 18:47:32 EDT.

Filings

10-K filed on 2024-04-22

Fisker Inc./DE filed an 10-K at 2024-04-22 18:47:32 EDT
Accession Number: 0001720990-24-000045

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity While no organization can eliminate cybersecurity risk entirely, we devote significant resources to our security program that we believe is reasonably designed to mitigate our cybersecurity and information technology risk. Our efforts focus on protecting and enhancing the security of our information systems, software, networks, and other assets. These efforts are designed to protect against, and mitigate the effects of, among other things, cybersecurity incidents where unauthorized parties attempt to access confidential, sensitive, or personal information potentially hold such information for ransom destroy data disrupt or degrade service or our operations sabotage systems or otherwise cause harm to the Company, our customers, suppliers, or dealers, or other key stakeholders. We employ capabilities, processes, and other security measures we believe are designed to reduce and mitigate these risks and have requirements for our suppliers to do the same. Despite having thorough due diligence, onboarding, and cybersecurity assessment processes in place for our suppliers, the responsibility ultimately rests with our suppliers to establish and uphold their respective cybersecurity programs. Our ability to monitor the cybersecurity practices of our suppliers is limited and there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in the information systems, software, networks, and other assets owned or controlled by our suppliers. When we become aware that a supplier s cybersecurity has been compromised, we attempt to mitigate the risk to the Company, including, if 51 Table of Contents Index to Financial Statements appropriate and feasible, by terminating the supplier s connection to our information systems. Notwithstanding our efforts to mitigate any such risk, there can be no assurance that the compromise or failure of supplier information systems, technology assets, or cybersecurity programs would not have an adverse effect on the security of the Company s information systems. To effectively prevent, detect, and respond to cybersecurity threats, we employ a multi-layered cybersecurity risk management program supervised by our Chief Information Security Officer, whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, architecture, education, and risk management processes. This responsibility includes identifying, considering, and assessing potentially material cybersecurity incidents on an ongoing basis, establishing processes designed to prevent and monitor potential cybersecurity risks, implementing mitigation and remediation measures, and maintaining our cybersecurity program. Our cybersecurity program aligns to internationally recognized standards and best practices for cybersecurity and data protection. We perform, internal and externally sourced, security testing, 3rd party attack simulations, application scanning, and IT Security Controls Assessments, to identify vulnerabilities and evaluate cyber defense capabilities in the enterprise and in our vehicle product systems. We also perform phishing and social engineering simulations and provide cybersecurity training to Company personnel with access to Company information and/or digital assets. We disseminate security awareness newsletters to employees to highlight emerging or urgent cybersecurity threats and best practices. Externally, we monitor notifications from the U.S. Computer Emergency Readiness Team ( CERT ), Automotive Information Sharing and Analysis Center ( Auto ISAC ), FBI InfraGard and review customer, media, and third-party, cybersecurity reports and respond to third-parties or security researchers who notify us of vulnerabilities they can detect in our cyber defenses. Our capabilities, processes, and other security measures also include, without limitation: Security Information and Event Management ( SIEM ) cloud incident management platform, that provides a log aggregation and analytics solution for threat and vulnerability monitoring. Endpoint Detection and Response ( EDR ) software, which monitors for malicious activities on endpoints. Cloud Security Posture and Workload Protection (CSPM/CWPP) infrastructure, container, and workload monitoring for threats and compliance posture and Corporate incident response plans, including a product security incident response plan. Supplier Risk Management processes to monitor contractual cybersecurity requirements, assess and manage 3rd party cyber and data risk in service and technical engagements. We invest in enhancing our cybersecurity capabilities and strengthening our partnerships with key business partners, service providers, government, and law enforcement agencies, to understand the range of cybersecurity risks in the global operating environment, enhance defenses, and improve resiliency against cybersecurity threats. Additionally, our CISO is a member of the FBI InfraGard and FBI Executive Advisory Board. Our membership in these public and private sector groups assists in our efforts to protect the Company against both enterprise and in-vehicle security risks. The Company s global cybersecurity incident response is overseen by our Chief Information Security Officer. Our Chief Information Security Officer has served in that role for over 2 years and has over 2 decades of cybersecurity governance, engineering, and operations experience for large global brands. Our Chief Information Security Officer reports to the Vice President of IT. The Vice President of IT reports directly to the Senior Vice President of Enterprise, Digital Operations, and Transformation. When a cybersecurity threat or incident is identified, our policy is to review and triage the threat or incident, and to then manage it to conclusion in accordance with our cybersecurity incident response processes. When a cybersecurity incident is determined to be significant, it is addressed by senior management and/or disclosure committee using processes that leverage subject-matter expertise from across the Company. Furthermore, we may engage third-party advisors as part of our incident management processes. Any cybersecurity incident that is identified as having the potential to be highly significant or material to the Company are brought to the attention of the Chief Technology Officer and /or General Counsel by the Chief Information Security Officer as part of our cybersecurity incident response processes. Cybersecurity risk management is an integral part of our overall enterprise risk management program. As part of its enterprise risk management efforts, the Board meets with senior management, including the executive leadership team, 52 Table of Contents Index to Financial Statements to assess and respond to critical business risks. Critical enterprise risks are assessed by senior management annually and discussed with the Board. Once identified, each of the risks we view as most significant is assigned an executive risk owner who is responsible to oversee risk assessment, develop and implement mitigation plans, and provide regular updates to the Board (and/or Board committee assigned to the risk). Cybersecurity threats have been and continue to be identified as one of the Company s top risks, with our Chief Technology Officer and Chief Information Security Officer assigned as the executive risk owners. The Board has delegated primary responsibility for the oversight of cybersecurity and information technology risks, and the Company s preparedness for these risks, to the Audit Committee. Our Chief Information Security Officer briefs the Board annually. As part of its oversight duties, the Audit Committee receives regular updates on our cybersecurity posture and information security risks from our Chief Information Security Officer. These regular updates include topics related to cybersecurity practices, cyber risks, and risk management processes, such as updates to our cybersecurity programs and mitigation strategies, and other cybersecurity developments. In addition to these regular updates, as part of our incident response processes, the Chief Technology Officer, in collaboration with the Chief Information Security Officer and General Counsel, provides updates on certain cybersecurity incidents to the Audit Committee and, in some cases, the Board. The Audit Committee reviews and provides input into, and oversight of our cybersecurity processes, and in the event the Company determines it has experienced a material cybersecurity incident, the Audit Committee is notified about the incident in advance of filing a Current Report on Form 8-K. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite the capabilities, processes, and other security measures we employ, that we believe are designed to prevent, detect, reduce, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the probability or risk of an incident. Risk management measures cannot provide absolute security, and may not be sufficient in all circumstances, or mitigate all potential risks. Our Cybersecurity program makes a reasonable and ongoing effort to keep pace with a rapidly changing threat and regulatory landscape.

Company Information