PLUG POWER INC - (PLUG)
10-K Filing Date: February 29, 2024
Cybersecurity Risk Management
We face a number of cybersecurity risks in connection with our business and recognize the growing threat within the general marketplace and our industry. Additionally, in the ordinary course of our business, we use, store, and process data, including data of our employees, partners, collaborators, and vendors. To help the Company identify, assess, and mitigate risks to this data and our systems, we have implemented a cybersecurity risk management program that is informed by recognized industry standards and frameworks and incorporates elements of the same.
Our cybersecurity risk management program includes a number of components, including information security program assessments and continuous monitoring of critical risks from cybersecurity threats using automated tools. We periodically engage third parties to conduct risk assessments on our systems, including penetration testing and other vulnerability analyses. For example, in 2023 we engaged several third parties to assist with implementing processes regarding endpoint detection and response, logging and monitoring, multi-factor authentication, business continuity and disaster recovery, and internet proxies. Additionally, we have implemented an employee education program whereby employees are able to attend cybersecurity awareness training during the onboarding process.
Although we believe risks from cybersecurity threats have not to date materially affected us, including our business strategy, results of operations, or financial condition, we have, from time to time, experienced threats to and breaches of our data and systems, including ransomware attacks and phishing attacks. For more information about the cybersecurity risks we face, see the risk factor entitled “We are dependent on information technology in our operations, and the failure of such technology may adversely affect our business. Security breaches of our information technology systems, including cyber-attacks, ransomware attacks, or use of malware or phishing or other malicious techniques by threat actors, have in the past and could in the future lead to liability, impact our operations, or damage our reputation and financial results” in Item 1A, “Risk Factors”.
Governance
The Vice President of Information Technology (“VP of IT”) oversees the daily operations of our cybersecurity risk management program and plays a central role in assessing and managing critical risks from cybersecurity threats with the support of additional IT professionals. The VP of IT role is currently held by an individual who has approximately twenty years of experience in information security management, application portfolio management, and IT governance, risk, and compliance. The VP of IT periodically reports on the cybersecurity program to the Chief Financial Officer (“CFO”).
39
Our governance framework includes oversight by the Audit Committee of the Board of Directors. The Audit Committee meets quarterly with the CFO regarding the cybersecurity risk management program, including as relates to critical cybersecurity risks and cybersecurity initiatives and strategies. Additionally, on an annual basis, the VP of IT reports the current state of cybersecurity risk management to the full Board of Directors. The Board of Directors, as a whole and through its committees, has responsibility for the oversight of risk management.