Bloom Energy Corp 10-K Cybersecurity GRC - 2026-02-09

Page last updated on February 9, 2026

Bloom Energy Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-09 17:16:15 EST.

Filings

10-K filed on 2026-02-09

Bloom Energy Corp filed a 10-K at 2026-02-09 17:16:15 EST
Accession Number: 0001628280-26-006516

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C, Cybersecurity of this Annual Report on Form 10-K for further information. We have developed a significant patent portfolio to protect elements of our proprietary technology. As of December 31, 2025, we had 380 active utility patents and 183 patent applications pending in the U.S., and we had an international patent portfolio comprising 252 active patents (counting patents by countries where enforceable) and 416 patent applications pending. Our U.S. patents are expected to expire between 2026 and 2044. While patents are an essential element of our intellectual property strategy, our business is not dependent on any one patent or pending patent application. We regularly review our development efforts to assess the existence and patentability of new intellectual property. We pursue the registration of our domain names, trademarks, and service marks in the U.S. and some international locations. "Bloom Energy" and "BE" are our registered trademarks in certain countries for use with Energy Server systems and our other products. We also hold registered trademarks for, among others, "Bloom Box," "BloomConnect," "BloomEnergy," and "Energy Server" in various countries. Bloom has several trademark applications pending, including applications directed to new product categories, expanded use applications, and applications on several logos used by the Company. When appropriate, we enforce our intellectual property rights against other parties. For more information about risks related to our intellectual property, please see the risk factors set forth under the caption Part I, Item 1A, Risk Factors-Risks Related to Our Intellectual Property . Manufacturing Facilities Our primary manufacturing facilities are in Fremont, California, and Newark, Delaware. We own our 178,000 square-foot manufacturing facility in Newark, which was our first purpose-built Bloom Energy manufacturing center and was designed specifically for copy-exact duplication as we expand, which we believe will help us scale more efficiently. Our Newark facility includes an additional 25 acres available for factory expansion and/or the co-location of supplier plants. We lease various manufacturing facilities in California and Delaware. We lease an 89,000 square-foot R&D and manufacturing facility in Fremont, California, which became operational in April 2021. Additionally, in Fremont, California, in June 2022, we opened a new research and technical center and a global hydrogen development facility with a total space of 73,000 square feet, and, since July 2022, we leased a 164,000 square-foot manufacturing facility that expires in February 2036. The lease terms of our Repair & Overhaul (R&O) manufacturing facilities in Newark, Delaware, with a total area of 133,000 square feet expire in December 2026, April 2027, and July 2030. During 2025, the lease of our 60,000 square-foot manufacturing, warehousing, and R&D facility in Sunnyvale, California, and our 44,000 square-foot R&D facility in Mountain View, California, ended. As of December 31, 2025, we had vacated these facilities and consolidated operations with our manufacturing facility in Fremont, California. We maintain a full-assembly facility in the Republic of Korea, in connection with our efforts to develop a local supplier ecosystem through a joint venture with SK ecoplant. Please see Part I,
ITEM 1C-CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse Index to Financial Statements effects on the confidentiality, integrity, or availability of our information technology systems or any information residing therein. Our cybersecurity risk management program includes a cybersecurity incident response plan. We design and assess our program based on the Center for Internet Security ("CIS") 18 Framework. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the CIS 18 Framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes: - Periodic risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment. - A security team principally responsible for managing our cybersecurity risk assessment processes, security controls, and response to cybersecurity incidents, led by our Chief Information Security Officer. - The use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security controls. - Our Internal Audit department, which monitors certain IT systems controls that are integrated into our larger Sarbanes-Oxley control environment. - Periodic cybersecurity awareness training for our employees and contractors with access to our information technology systems. - A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents, including incidents that could be indicators of attack against availability, integrity and confidentiality of information systems. - A third-party risk management process for service providers, suppliers, and vendors that includes examining their security postures and assessing their data and system protection controls. Since the beginning of the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, but we face certain ongoing cybersecurity threats that, if realized, are reasonably likely to materially affect us. For a discussion of how cybersecurity risks could materially affect us in the future, please see the risk factors set forth under the caption Part I, Item 1A, Risk Factors-Risks Related to our Operations . Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management's implementation of our cybersecurity risk management program. The Board receives periodic reports from the Audit Committee and management on these and other activities. The Audit Committee receives periodic reports from management on our cybersecurity risks, including presentations from our Chief Information Security Officer, internal security staff, and external experts. This includes updates to the Audit Committee, as appropriate, regarding any significant cybersecurity incidents, or multiple incidents that could be significant in the aggregate. These updates may occur in between regularly scheduled Audit Committee meetings. At the management level, the Enterprise and Risk Management Committee (the "ERM Committee") discusses cybersecurity topics, including any potentially material cybersecurity incidents, as part of its oversight of the Company's significant risks. Our Chief Information Security Officer, collaborating with the broader management team, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including: - periodic briefings from internal security personnel; - periodic reviews of risk management measures implemented to prevent, detect, mitigate, and remediate cybersecurity risks and incidents, including our incident response plan; Index to Financial Statements - threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and - alerts and periodic reports produced by security tools deployed in our IT environment. Our Chief Information Security Officer has more than 20 years of cybersecurity, information technology and engineering experience and he has served as the Chief Information Security Officer for multiple technology companies. Similarly, the members of the ERM Committee possess significant risk management experience obtained by their collective years of experience at Bloom and other companies of similar or greater complexity.

Company Information