STEM, INC. 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 5, 2026

STEM, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 18:18:40 EST.

Filings

10-K filed on 2026-03-04

STEM, INC. filed a 10-K at 2026-03-04 18:18:40 EST
Accession Number: 0001758766-26-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain a cyber risk management program that is designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. The design of our program is based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework. We have implemented a cyber incident response standard operating procedure (the "SOP") detailing actions to be taken in the event of a cyber incident. Pursuant to the SOP, any suspected cyber breaches or detected vulnerabilities are promptly reported by our cybersecurity team to our Chief Technology Officer ("CTO") and Chief Legal Officer ("CLO") for further assessment and/or remediation. In addition, we require our employees to regularly participate in mandatory cybersecurity training that covers critical aspects of digital security, including phishing prevention, threat awareness, and safe data handling practices. Cybersecurity risk considerations are also incorporated into our broader business continuity planning. In addition to our internal processes, our partnerships with various third-party vendors comprise a key component of our cyber risk management program. We engage several reputable third-party companies to monitor and work to maintain the performance and effectiveness of our products and services, as well as to conduct System and Organization Controls (SOC) assessments and our mandatory cybersecurity training for employees. We are also implementing systems and processes 37 designed to oversee, identify and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use. Our Chief Information Security Officer ("CISO") , who has extensive cybersecurity knowledge and skills gained from more than 20 years of work experience at the Company and elsewhere, is the head of our experienced cybersecurity team and is responsible for assessing and managing our cyber risk management program. The CISO receives reports on cybersecurity threats on an ongoing basis and regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO collaborates with our business, engineering, human resources, legal, and other functions to implement and enforce our cyber policies. Our CISO reports to our CTO, and they collectively inform our senior management regarding the prevention, detection, mitigation, and remediation of incidents and vulnerabilities. The Audit Committee of the Board of Directors (the "Board") oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. Each quarter, our CTO updates the Audit Committee on the development and effectiveness of our cyber risk management program. In addition, the Audit Committee is responsible for periodically reviewing and discussing with management our practices with respect to cybersecurity and information security risk management. In addition, cybersecurity risks are reviewed by the Board as part of the Company's corporate risk mapping exercise. Although we have experienced, and will continue to experience, cyber incidents in the normal course of our business, as of the date of this report, prior cyber incidents have not had a material adverse effect on the Company, including our business strategy, results of operations, and financial conditions. For a further explanation of the cybersecurity risks and threats to which we could be subject, see "A failure of our information technology and data security infrastructure could adversely affect our business and operations" in Part I, Item 1A, "Risk Factors" of this Annual Report on Form 10-K.

Company Information