Energy & Water Development Corp 10-K Cybersecurity GRC - 2024-04-26

Page last updated on April 26, 2024

Energy & Water Development Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-26 17:24:22 EDT.

Filings

10-K filed on 2024-04-26

Energy & Water Development Corp filed an 10-K at 2024-04-26 17:24:22 EDT
Accession Number: 0001079973-24-000601

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. For their new cybersecurity section in Form 10-Ks, companies should confirm compliance with the new line item requirements in Item 106 of Regulation S-K, as summarized below. Risk Management and Strategy. Under new Items 106(b)(1), companies must: Describe the registrant’s processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items: (i) Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes. (ii) Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes. (iii) Whether the registrant has processes to oversee and" identify such risks from cybersecurity threats associated with its use of any third-party service provider. The SEC’s purpose in adopting new disclosure items in Item 106(b)(1) was to “allow investors to ascertain a registrant’s cybersecurity practices, such as whether they have a risk assessment program in place, with sufficient detail for investors to understand the registrant’s cybersecurity risk profile,” while at the same time avoiding details that “could increase a company’s vulnerability to cyberattack.” 15 Cybersecurity Threat Disclosure. Under new Item 106(b)(2), companies must: Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how. This new requirement in Item 601(b)(2) was proposed in 2022 by the SEC to “equip investors to better comprehend the level of cybersecurity risk the company faces” and “assess the company’s preparedness regarding such risk,” but also aligns with the SEC’s 2018 guidance , which encourages companies to address the impact of any prior cybersecurity incidents in their risk factors. We expect many companies to provide a cross reference to existing risk factor disclosure on this point and to consider, as appropriate, any additional disclosure to address and clarify whether or not any cybersecurity incidents experienced to date have constituted a material cybersecurity incident. As the SEC noted, companies should likewise consider whether they need to revisit or refresh any previous disclosure made about cybersecurity incidents as they prepare this disclosure, including during the process of investigating a cybersecurity incident. 17 Governance Board Disclosure. Under new Item 106(c)(1), companies must: Describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks. For this requirement in Item 601(c)(1), although the SEC opted not to adopt a proposal to require disclosure of the frequency of board and committee discussions, the SEC specifically noted in the adopting release that the disclosure may include discussion of frequency, including the board or board committee’s reliance on “periodic (e.g., quarterly) presentations by the registrant’s chief information security officer to inform its consideration of risks from cybersecurity threats.” 18 Notably, the SEC also removed its proposed requirement that companies disclose whether any directors have cybersecurity expertise, noting that “effective cybersecurity processes are designed and administered largely at the management level and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise as they do with other sophisticated technical matters.” 19 Governance Management Disclosure. Under new Item 106(c)(2), companies must: Describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items: (i) Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise. Relevant expertise may include, for example, prior work experience in cybersecurity any relevant degrees or certifications any knowledge, skills or other background in cybersecurity. (ii) The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. (iii) Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors. For this requirement in Item 106(c)(2), the SEC noted that this list is a non-exclusive list that companies should consider when describing management’s role in cybersecurity oversight, and that this disclosure would typically encompass identification of whether a registrant has a chief information security officer [(CISO)] or someone in a comparable position. The detailed information required about the CISO’s background (including the CISO’s prior work experience, knowledge, skills and degrees or certifications held) is notable in that it goes beyond current disclosure requirements regarding other members of company management. 12

Company Information