Fluence Energy, Inc. 10-K Cybersecurity GRC - 2025-11-25

Page last updated on November 26, 2025

Fluence Energy, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-25 16:04:06 EST.

Filings

10-K filed on 2025-11-25

Fluence Energy, Inc. filed a 10-K at 2025-11-25 16:04:06 EST
Accession Number: 0001868941-25-000081

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management We manage our cybersecurity risks through an information security management system (ISMS) that falls under our overarching integrated management system (IMS) for quality and safety. Our cybersecurity risk management program and supporting ISMS focus our efforts on reducing residual risks to our critical corporate assets. The materiality of these risks drives the selection of appropriate controls and the prioritization of the projects and operational tasks of our cybersecurity teams. Our approach to controlling these risks is designed and assessed based on our selection and implementation of certain controls from the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. These controls are implemented to help us identify our critical assets and systems, protect them through preventative measures, detect attempts to compromise their confidentiality, integrity, and availability, respond to attacks by containing their progression and notifying relevant parties, and recover effectively if successfully compromised. Key elements of our cybersecurity risk management program include but are not limited to: authentication and authorization procedures, employee security awareness training, logging and monitoring procedures, network segmentation requirements, in transit and at rest encryption of certain data we deem sensitive, periodic vulnerability scanning, periodic control validation through penetration testing, periodic phishing attack simulations, production change control requirements, periodic tabletop exercises, and written incident response plans. We also use external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes. We maintain a third-party risk management process for key service providers based on our assessment of their criticality to our operations and respective risk profile. To date, we are not aware of any risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Fluence. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For more information on potential cybersecurity risks, please see Part I, Item 1A "Risk Factors" for the risk factor entitled " Our business depends on our ability to implement improvements to and properly maintain and protect the continuous operation and data integrity of our information technology infrastructure, data, and other business systems and the inability to do so may have a material adverse effect on our reputation and harm our business prospects, financial conditions, and operating results." Cybersecurity Governance Our cybersecurity program and supporting ISMS are governed by our Cybersecurity Steering Committee, which is includes our Chief Information Officer ("CIO") and is comprised of other members of our management team, including individuals from our finance, supply chain, product, information technology ("IT"), and legal departments. The Cybersecurity Steering Committee convenes quarterly to review the ISMS, identify new material risks and potential treatment plans that are recorded in our cybersecurity risk register, and review the overall health of security key risk indicators, technical key performance indicators, and roadmaps for the expected delivery of new and updated controls. Cybersecurity oversight and related risk-management activities are currently led by the CIO, who has more than 20 years of experience in information technology, cybersecurity governance, and enterprise-risk management. The CIO has implemented defense-in-depth cybersecurity frameworks and controls aligned with industry standards such as COBIT and ITIL and has regularly reported on cybersecurity risks and mitigation activities to boards of directors and audit committees throughout his career. Management is informed about cybersecurity risks through ongoing monitoring and reporting processes, including real-time incident dashboards, periodic risk assessments, and collaboration with internal and external cybersecurity experts. The CIO provides updates on cybersecurity risks, incident response readiness, and mitigation efforts to executive leadership and Fluence's board of directors through the Audit Committee as part of the Company's enterprise-risk-management program. We have a written cybersecurity incident escalation process overseen by senior leadership, and when senior leadership deems appropriate, a materiality committee is convened comprised of certain members of management who assess whether incidents must be reported to the SEC and/or the appropriate authorities. While Fluence's board of directors oversees all enterprise risks, the Audit Committee of our board of directors has primary responsibility for overseeing cybersecurity risks and management's implementation of our cybersecurity risk management program. The Audit Committee receives quarterly updates from CIO . These updates typically cover topics such as: overview of material cybersecurity incidents that have occurred since the last update, overview of residual cybersecurity risks to our critical business assets, recent investments in our cybersecurity program, and relevant cybersecurity operational metrics. The Audit Committee will report updates regarding cybersecurity to the Board, as it deems appropriate . Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal security personnel; threat 64 intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.

Company Information