Nuvve Holding Corp. - (NVVE)

10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity

RISK MANAGEMENT and STRATEGY

Overall Process

We protect our digital systems and data through a comprehensive cybersecurity management program, which includes a cybersecurity function, risk assessments, policies and procedures, and technical measures and related services from third party service providers. We have a Cybersecurity Working Group (“CWG”) with overall responsibility for the cybersecurity program, including threat detection and response, vulnerability management, governance, risk and compliance, security strategy and architecture, security engineering and operations, product and operational technology security. As part of our cybersecurity management program, we have a CWG which is responsible for monitoring both internal and external cybersecurity threats, conduct initial assessment of severity, coordinate incident response resources, reduce incident response time, and shift toward a proactive cyber-defense model, which includes a dedicated threat intelligence program that leverages custom intelligence platforms as well as industry specific professional associations and ongoing threat hunting. Through our cybersecurity risk management program, we monitor cybersecurity vulnerabilities and potential attack vectors and evaluate the potential operational and financial effects of any threat and countermeasures made to defend against such threats.

We have outlined preliminary policies and procedures, including our Incident Response Plan ("IRP"), for assessing, identifying, managing, and responding to cybersecurity and privacy threats and incidents, including protocols for assessing potential material impact from cybersecurity threats and incidents, escalating to executive leadership and the Board, engaging external stakeholders, and reporting incidents based on applicable legal requirements. Our IRP provides guidance in the event of a cybersecurity incident, including processes with assigned roles and responsibilities for preliminary assessment, assess severity, escalate, contain, investigate, and remediate incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. Our policies and procedures include processes which incorporate regular cybersecurity tabletop exercises to test established policies and procedures for responding to cybersecurity threats and incidents. In addition, employees and stakeholders can report cybersecurity threats, cybersecurity and data privacy incidents, or other concerns through an internal reporting channel.

Risk Management Process Integration

Our risk management processes, including Cybersecurity, are overseen by the Audit Committee of our board of directors. Our processes include ongoing information technology risk assessments, and third-party security risks assessments.

Our cybersecurity risk management efforts have also been integrated into the overall risk management process, which includes assessment of cybersecurity risks that could result in significant operational disruption to the Company, such as business downtime, loss of Company’s financial assets or other operation interruptions, as well as risks that could have significant reputational and compliance/regulatory impact. Cybersecurity risks identified and tracked through our risk management process have assigned risk owners at the executive leadership level and risk delegates who are responsible to identify and manage risk mitigation actions. Key risk indicators are updated periodically and communicated to our executive leadership.

We leverage recognized cybersecurity frameworks to drive strategic direction and maturity improvement and engage third party security experts for risk assessments, risk mitigation actions, and program enhancements. We also include cybersecurity training as part of our required annual employee training program. In addition, cybersecurity and privacy training and awareness is integrated and continues throughout the year, utilizing various delivery methods such as phishing campaigns, training sessions, and informational articles.

Third Party Security Experts

We engage third party security experts to supplement our internal CWG team as well as for assessments, penetration tests and program enhancements, including vulnerability assessments, security framework maturity assessments and identification of areas for continued focus and improvement. In addition, our third-party experts provide guidance to support our cybersecurity efforts. We use the findings of these third-party experts to improve our practices, procedures, and technologies. We also engage as necessary third party security experts to support our cybersecurity threat and incident response management and maintain information security risk insurance coverage.

Identification of Threats Associated with Third Parties
52





We utilize an internal risk management process to identify, assess, monitor, and mitigate risks associated with third-party relationships, including cybersecurity risks. We conduct initial risk assessments of key third-party suppliers and service providers based on various factors to classify each into a risk category. Our process is designed to apply our most rigorous processes to those suppliers and service providers that are classified into the highest risk category. These processes include due diligence assessments of key third-party suppliers and service providers that have access to our networks, confidential information, and information systems in order to assess the risks from cybersecurity threats that could impact our suppliers and third-party service providers. We leverage external partners to assist with the regular assessment of our top priority suppliers and third-party service providers to identify, review and address risks, including deeper reviews of their cybersecurity controls. We also require that our key suppliers and third-party service providers have in place appropriate technical and organizational security measures and security-control principles based on recognized cybersecurity standards.

Incidents and Risks

Nuvve Holding Corp. has not experienced a material cybersecurity incident. Although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. For more information on our cybersecurity risks, see "Technology, Intellectual Property, and Infrastructure" identified in the "Risk Factors" section of Part 1 of Item 1A herein.

GOVERNANCE

Board of Directors

Oversight responsibilities for our cybersecurity and digital trust compliance programs and risks lie with the Audit Committee of our board of directors. Our board of directors have the ultimate oversight responsibilities of our cybersecurity program and all operational, financial, strategic, and reputational risks with oversight of specific risks undertaken with the committee structure including risks related to cybersecurity, privacy, and technology.

The Audit Committee receives reports on the Company's cybersecurity program and developments from our CWG, at our regular meetings, at least once a year or as needed. These reports typically include analyses of recent cybersecurity threats and incidents at the Company and across the industry, as well as a review of our own security controls, assessments and program maturity, and risk mitigation status, as well as a review of our key third-party service providers. Our digital technology, legal, and the corporate audit functions also routinely present to the Audit Committee on key cybersecurity topics and, on at least an annual basis, the Board receives reports on the Company's cybersecurity program and developments from the CWG.

Management

Our programs are focused on building digital trust through sound oversight of cybersecurity and data privacy protections and the responsible use of data and technology. We operate a CWG, and we have a cross-functional approach to addressing cybersecurity-related risks through the functional compliance structures in our digital technology.

Our senior executive leadership is actively engaged in the oversight and strategic direction of our cybersecurity and digital trust compliance programs, with active participation in the CWG. The CWG is responsible for assessing cybersecurity risks, providing direction and oversight for risk mitigation action, and assisting the Audit Committee in overseeing the Company’s cybersecurity risks. The CWG also develops periodic reports on the Company's cybersecurity program and developments. The CWG members include the Chief Operating Officer, Chief Financial Officer, and Vice President of Technology.

The Chief Operating Officer is National Association of Corporate Directors (“NACD”) Directorship Certified® and has earned the NACD certificate in cyber risk oversight.

Our policies and procedures include the establishment of an Incident Response Team ("IRT") that consists primarily of representatives from the CWG, legal, corporate communications, finance, and other relevant stakeholders. The IRT follows the guidance as outlined in the IRP to respond to cybersecurity incidents and escalate as necessary to the CWG based on a defined severity matrix. The senior executive leadership stakeholders are responsible for assessing the materiality of risks in consultation with the IRT, CWG, and external advisors.




53