AMERICAN SUPERCONDUCTOR CORP /DE/ 10-K Cybersecurity GRC - 2025-05-21

Page last updated on May 26, 2025

AMERICAN SUPERCONDUCTOR CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-21 16:17:11 EDT.

Filings

10-K filed on 2025-05-21

AMERICAN SUPERCONDUCTOR CORP /DE/ filed a 10-K at 2025-05-21 16:17:11 EDT
Accession Number: 0001437749-25-017986

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Overview Our technologies, systems and networks may be subject to cybersecurity threats. Our business, like others within the energy technologies industry, is faced with growing cybersecurity threats as we increasingly rely on digital technologies across our business, some of which are managed by third -party service providers on whom we rely to help us collect, host or process information. We recognize the significance of these threats, sometimes referred to as hacking, cybersecurity fraud, and cyberattacks, and maintains processes and procedures designed to protect our critical systems and sensitive information from unauthorized access. However, there can be no assurance that a cyber-attack would timely be detected or thwarted. To date, we are not aware of any material cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, and we have not incurred significant operating expenses related to cybersecurity incidents. For more information on risks related to cybersecurity, please see the section titled “Risk Factors” included under Item 1A of this Annual Report on Form 10-K. Risk Management and Strategy Our cybersecurity risk management program includes operational, technical and physical controls to protect against and respond timely to cybersecurity threats. To address evolving cybersecurity risks and corresponding regulations, our policies and procedures are benchmarked to industry, regulatory and cybersecurity frameworks (including the National Institute of Standards and Technology). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we may use industry, regulatory, and cybersecurity frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall risk management program, and shares common methodologies, reporting channels and governance processes that apply across the risk management program to other legal, compliance, strategic, operational, and financial risk areas. Management has engaged third -party vendors to assist in monitoring our cybersecurity risk management programs and identifying and responding to any incidents. Additionally, third -party vendors are routinely engaged to evaluate how effectively management as a whole manages cybersecurity risk. This includes annual testing of our incident response plan through tabletop exercises and simulations to ensure readiness as well as penetration testing and security assessments. We also utilize third -party cybersecurity vendors to assess our protections against identified vulnerabilities, and we have implemented a third -party risk management process for key service providers, based on our assessment of their criticality to our operations. We have developed cybersecurity training for employees concerning cybersecurity risk. This training provides information on security awareness and phishing simulations. All employees are required to attend periodic cybersecurity training. On a regular basis, our IT team shares news and articles related to cybersecurity awareness with all employees. Our cybersecurity risk assessment is performed annually and includes external and internal penetration testing performed by third party vendors to test for vulnerabilities in the Company’s environment. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors - Our business and operations may be materially adversely impacted in the event of a failure or security breach of our or any critical third parties’ IT Systems or Confidential Information.” 34 Governance The Board of Directors has delegated the oversight of risks from cybersecurity threats to the Audit Committee, which has delegated authority to the Chief Financial Officer to oversee the Company’s day-to-day cybersecurity risk management, including prevention, detection and responding to any suspected cybersecurity incident. The Audit Committee is updated at least annually by the CFO on the status of cybersecurity matters. Contemporaneous reporting is provided on an as needed basis to the Audit Committee and to the full Board of Directors on significant cyber events including response, legal obligations, and outreach and notification to regulators, and third parties when needed. The Director, Global Information Technology and Financial Systems (the “IT Director”), leads an internal team who work directly with our third-party vendors to manage our cybersecurity risk management program and activities. The internal team monitors our information systems for cybersecurity threats, reviews cybersecurity incidents, analyzes emerging threats, and develops and implements risk mitigation strategies. Under our CFO’s authority, the IT Director periodically reports on the cybersecurity program to our executive leadership team, including by providing the team with updates on cybersecurity threats and incidents, the status of ongoing projects and initiatives, performance metrics, and additional cybersecurity topics. On an annual basis, the IT Director reviews the results of the current state of cybersecurity risk management, including the results of our cybersecurity risk assessment and any action plan to address any identified vulnerabilities.

Company Information