Clean Energy Fuels Corp. - (CLNE)

10-K Filing Date: February 29, 2024

Item 1C. Cybersecurity.

We maintain an information security program as part of our enterprise-wide risk management system. Our information security program is managed by our Group Vice President, whose portfolio includes top level oversight of information technology, information security and IT risk management. The Group Vice president is responsible, along with his team, for leading company-wide cybersecurity strategy, policy, standards, architecture, and processes. Our Group Vice President has served in that role since 2012 and has been in cybersecurity related roles for 25 years. Our Group Vice President and IT Director provide periodic updates to our Board of Directors, Audit Committee, and other senior management members. These updates include, among other risk management issues, updates on the Company’s cybersecurity risks and threats,

30

the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape.

Our program is regularly evaluated by internal and external experts with the results of those reviews reported to the Board of Directors, Audit Committee, and senior management. We also collaborate with thought leaders in cybersecurity including with key vendors, business partners, cybersecurity and data breach response counsel, and industry participants as part of our continuing efforts to evaluate and improve the effectiveness of our information security policies and procedures. This collaboration allows us to rapidly adopt industry best practices developed through firsthand experience mitigating cyber incidents.

When reviewing potential threats or cybersecurity incidents, our Board of Directors has delegated the authority to the Audit Committee to setup crisis incident management teams comprised of senior management and appropriate specialists. These crisis incident management teams report on an as needed basis to the Audit Committee and full Board of Directors to keep them informed and seek direction where necessary.

We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition. Refer to “Item 1A. Risk Factors” in this annual report on Form 10-K, including “We rely on information technology in our operations, and any material failure, inadequacy, interruption, or security failure of that technology could harm our business,” for additional discussion about cybersecurity-related risks.