Hyzon Motors Inc. - (HYZN)
10-K Filing Date: March 22, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We understand and recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks; intellectual property theft; fraud; extortion; harm to employees, vendors, or customers; and violation of data privacy or security laws.
We integrate the monitoring and assessing of cybersecurity risk into our overall risk management systems and processes. Cybersecurity risks are identified and addressed through a multi-faceted approach including third-party assessments, IT security, governance, risk and compliance reviews. Our cybersecurity program is aligned with the National Institute of Standards and Technology Cyber Security Framework (NIST-CSF) and NIST Computer Security Incident Handling Guide. Consistent with that framework, our cybersecurity program addresses the need to assess, identify, protect, detect, respond and recover from cyber risks. To accomplish this, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, conduct annual and on-demand employee phishing training, maintain insurance related to cybersecurity risks, pre-screen IT services provided by contractors, monitor emerging laws and regulations related to data protection and privacy.
We have adopted a Cybersecurity Incident Response Plan ("CSIRP") to provide the organizational and operational structure, processes, and procedures for investigating, containing, documenting and mitigating cybersecurity incidents, including keeping senior management and other key stakeholders informed and involved as appropriate. The CSIRP encompasses four key stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of security incidents, 3) containment, eradication, and recovery, and 4) post-incident analysis. Oversight of these incident responses is provided by leaders from our Information Security, Product Security, and Legal teams, ensuring comprehensive coverage and alignment with cybersecurity best practices as outlined by NIST.
We also established a cybersecurity compliance and reporting team, which includes Vice President of Digital Innovation, Director of Cybersecurity, legal and corporate reporting team members. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Cyber incidents or attacks directed at us could result in information theft, data corruption, operational disruption and/or financial loss” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.
Cybersecurity Governance
Cybersecurity is covered in our enterprise risk management processes and is an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates on a quarterly basis from senior management, including leaders from our Information Security and Legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Hyzon's cybersecurity organization is led by our Vice President of Digital Innovation, with support from our Director of Cybersecurity, who are responsible for assessing and managing material risks from cybersecurity threats and report up to our Chief Financial Officer. Collectively, the Vice President of Digital Innovation and Director of Cybersecurity have more than 30 years of experience in various roles involving managing cybersecurity functions, developing cybersecurity strategies to protect privacy, customer safety and intellectual property.
68