Eos Energy Enterprises, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Eos Energy Enterprises, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 06:38:49 EST.

Filings

10-K filed on 2026-02-26

Eos Energy Enterprises, Inc. filed a 10-K at 2026-02-26 06:38:49 EST
Accession Number: 0001628280-26-011961

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. Identifying and assessing cybersecurity risk is integrated into our overall risk management processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, internal IT Audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, monitor emerging laws and regulations related to data protection and information security, and implement appropriate changes. Our incident response processes have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication and recovery, and 4) post-incident analysis. Such incident responses are overseen by leaders from our IT, Legal and Compliance teams regarding matters of cybersecurity. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact. While we generally perform cybersecurity diligence to assess third party service providers and potential fourth-party risks when and/or processing our employee, business or customer data on our other key service providers such as vendors, suppliers, and other business partners, we do not control our service providers and our ability to monitor their cybersecurity is limited. Some of our service providers may store or have access to our data and may not have effective controls, processes, or practices to protect our information from loss, unauthorized disclosure, unauthorized use or misappropriation or cybersecurity breaches. A vulnerability in our service providers' software or systems, a failure of our service providers' safeguards, policies or procedures, or a cybersecurity breach affecting any of these third parties could harm our business. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates on a quarterly basis from senior management, including leaders from our IT Legal, and Compliance teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our cybersecurity risk management and strategy processes are overseen by our CIO and leaders from our Legal and Compliance teams. Our CIO has over 15 years of prior work experience in various roles involving information technology, including security, auditing, compliance, systems and programming. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their 36 management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items. To date, no attempts to gain unauthorized access to our network or IT systems have resulted in any material adverse impact to our business or operations; however, there can be no guarantee that such intrusions will not be material in the future. While we seek to detect and investigate all unauthorized attempts and attacks against our IT systems. network and products, and to prevent their recurrence where practicable through changes to our internal processes and tools and/or changes to our products, we remain potentially vulnerable to additional known or unknown threats, such as, among other things, malware and computer virus attacks, ransomware attacks, social engineering attacks (including phishing attacks), denial-of-service attacks, credential stuffing, terrorist attacks, civil unrest, military conflict or supply chain attacks.

Company Information