NUSCALE POWER Corp - (SMR)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity

The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Chief Compliance Officer and Vice President, Information Technology (“IT”), regularly brief the Board of Directors on our cybersecurity and information security posture and the Board of Directors is apprised of any cybersecurity incidents deemed to have a moderate or higher business impact. The Audit Committee of the Board of Directors is briefed by senior leadership, as appropriate, on the cybersecurity of DOE and NRC programs and the security of our business supply chain. Other than oversight of business cybersecurity, the full Board retains oversight of cybersecurity because of its importance to NuScale and the heightened risk in the nuclear power sector. In the event of an incident, we intend to follow our incident response playbook, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate.

Our corporate information security organization, led by our Vice President, IT is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The current Vice President, IT has extensive information technology and program management experience, has over a decade of experience leading cybersecurity oversight, and others on our IT security team have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification. The corporate information security organization manages and continually enhances a robust enterprise security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur.

The corporate information security organization has implemented a governance structure and processes to assess, identify, manage and report cybersecurity risks. For the current reporting period, there have been no incidents that have materially affected or are reasonably likely to materially affect NuScale, including its business strategy, results of operations or financial condition. As a nuclear contractor, we must comply with extensive regulations, including requirements imposed by the DOE and NRC related to adequately protecting safeguards information and reporting cybersecurity incidents to the DOE and NRC when required. We have implemented cybersecurity policies and frameworks based on industry and governmental standards to align closely with DOE and NRC requirements, instructions and guidance. In addition to following DOE and NRC guidance and implementing pre-existing third party frameworks, we have developed our own practices, which we believe enhance our ability to identify and manage cybersecurity risks.

Third parties also play a role in our cybersecurity. We engage third-party services to conduct around the clock monitoring and prevention of suspected malicious activity on company-owned systems, filter all email and web browser activity, provide proactive threat intelligence services, and perform regular evaluations of our security controls, whether through external and internal network penetration testing, physical security assessments, independent audits or consulting. These evaluations include testing both the design and operational effectiveness of security controls. We also share and receive threat intelligence with our nuclear design and construction partners, government agencies, information sharing and analysis centers and cybersecurity associations.

Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management (“ERM”) process. Cybersecurity related risks are included in the risk universe that the ERM function evaluates to assess top risks to the enterprise on an annual basis. To the extent the ERM process identifies a heightened cybersecurity related
35


risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process’s annual risk assessment is presented by the Senior Director, Treasury, SOX, ERM and ESG to the Board of Directors.

We rely heavily on our supply chain to deliver our products and services to our customers, and a cybersecurity incident at a supplier, subcontractor or joint venture partner could materially adversely impact us. We assess third party cybersecurity controls through a cybersecurity questionnaire and include security and privacy addendums to our contracts where applicable. We also contractually flow cybersecurity regulatory requirements to our subcontractors as required by government agency-specific requirements. These contractual flow downs include the requirement that our subcontractors implement certain security controls. We also require that our subcontractors report cybersecurity incidents to us so that we can assess the impact of the incident on us. For select suppliers, we engage third-party cybersecurity monitoring and alerting services, and seek to work directly with those suppliers to address potential deficiencies identified. We also make available cybersecurity education and awareness materials and briefings to our suppliers, as necessary.

Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While NuScale Power maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.