Aeva Technologies, Inc. - (AEVA)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity.

 

Risk Management and Strategy

The Company’s Information Technology team has established an information security management system to safeguard the confidentiality, integrity, and availability of the Company’s products, infrastructure, and data. This system is integrated with our Quality and Business Management Systems and, aims to identify, assess, and address cybersecurity risks affecting our business. It features an Incident Response Procedure (“IRP”) that specifies roles and responsibilities during security incidents, detailing incident detection, investigation, mitigation, and prompt incident reporting procedures.

The IT Director leads and coordinates cybersecurity efforts at Aeva, providing regular updates on cybersecurity progress to the senior leadership team. The Information Security team actively shares updates on the status of cybersecurity efforts and risks, evaluates our information security programs, and monitors the evolving threat landscape on a company-wide level.

Additionally, we conduct regular internal assessments and audits, complemented by insights from external experts. The outcomes of these evaluations are communicated to senior leadership. Based on these risk assessments, we redesign, implement, and maintain adequate safeguards to reduce identified risks, address gaps, and continuously assess the efficacy of these measures. Our engagement with our key partners, vendors, customers, industry stakeholders, and government bodies is relentless, aiming to improve our information security policies and procedures over time. We aim to diligently manage risks related to cybersecurity threats from third-party service providers, including, when possible, requesting our service providers to report incidents that may compromise the Company’s data.

Risks from Threats and Incidents

Our IT infrastructure, encompassing operational and security systems, integrated software, and data processed by us or our third-party vendors, is vulnerable to cybersecurity threats and incidents. As of December 31, 2023,

45


 

these risks have not significantly impacted the Company, including our business strategy, or operational results, or financial results.

Governance

Our Chief Technology Officer is tasked with assessing and managing significant cybersecurity risks across the Company based on the assessments of our IT Director. Our IT Director brings a wealth of IT and Information Security expertise from various roles in the technology industry.

The Audit Committee has recently been assigned responsibility for overseeing our cybersecurity, including assessment, prevention, detection, and remediation of cyber risks, threats and incidents. When incidents occur, depending on the nature and severity, the Audit Committee is notified, and incidents are further reviewed with the Audit Committee. Material cybersecurity matters will be reviewed with the full Board of Directors.