PHOENIX MOTOR INC. 10-K Cybersecurity GRC - 2025-05-30

Page last updated on June 2, 2025

PHOENIX MOTOR INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-30 16:39:40 EDT.

Filings

10-K filed on 2025-05-30

PHOENIX MOTOR INC. filed a 10-K at 2025-05-30 16:39:40 EDT
Accession Number: 0001641172-25-013062

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Cybersecurity risk management is an integral part of our overall enterprise risk management program. We have made significant investments in processes, and technology to protect Phoenix’s connected vehicles, services, confidential business information, and employee and consumer personal data. We have implemented multiple and varied processes and technologies for the avoidance, identification, assessment, mitigation, and remediation of risks from cybersecurity threats and incidents designated to protect against the cybersecurity risk landscape. We are continuously assessing and enhancing our protection, detection, response, and recovery capabilities and regularly engage with the cybersecurity communities, third-party cybersecurity and compliance partners, internal stakeholders, and organizations leading best practices, to support our goals and objectives. At its core, our cybersecurity risk management program integrates multiple teams across the organization, including our operations team, with leadership and oversight by executive management, the Audit Committee of the Board of Directors (“Audit Committee”), and the Board of Directors (“Board”). Governance Board and Committee Oversight Our Board has oversight responsibility for our overall enterprise risk management and delegates cybersecurity risk management oversight to the Audit Committee . The Audit Committee oversees Phoenix’s policies and practices with respect to risk assessment and risk management, including discussing with management (i) Phoenix’s major financial, cybersecurity, privacy and other information technology risk exposures; (ii) the steps that have been taken to monitor and control such exposures; and (iii) any material cybersecurity threats or incidents. The Audit Committee and the Board receive regular reporting from Phoenix’s management on the status of our cybersecurity program and ad hoc reporting on material cybersecurity threats and incidents. Management’s Role At the management level, our COO and CFO are responsible for leading our cybersecurity risk management program and enterprise cybersecurity matters. The COO and CFO monitor the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents. For potentially material cybersecurity threats and incidents, we escalate these to the CEO, and would raise such threats and incidents to our Audit Committee Chair and, as appropriate, to our Board as they arise. Management of Cybersecurity Risk Our Cybersecurity Risk Management Processes Our cybersecurity risk management program provides a framework for handling cybersecurity threats and incidents by escalating risks, issues, and key decisions to management, the Audit Committee, and our Board. Our program is designated to protect our products and services, confidential business information (including intellectual property), and employee and consumer data and includes steps for detecting and monitoring cybersecurity threats and incidents, assessing the severity of such threats or incidents, identifying the source of such threats or incidents, including whether such threats or incidents are associated with a third-party vendor or service provider , implementing cybersecurity countermeasures and mitigation strategies and informing management, the Audit Committee, and our Board of potentially material cybersecurity threats and incidents. In addition, our operations team provides cybersecurity training to employees during the onboarding process and periodic basis thereafter, with specialized training and tabletop exercises for our core incident response teams and executive management on at least an annual basis.

Company Information