Luminar Technologies, Inc./DE - (LAZR)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY.
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. These risks affect us, as well as our suppliers, customers, and ultimately their consumers.
We also maintain an incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage material risks, as well as to test and improve our incident response plan. Our approach includes, among other things:
•adoption of frameworks established by the National Institute of Standards and Technology (“NIST”) and International Organization for Standardization (“ISO”) for a flexible, tailored, and risk-based approach to cybersecurity, helping to ensure a continuous process of identifying, protecting, detecting, responding, and recovering from cyber incidents;
•alignment with ISO 21434 (automotive security) and ISO 27001 (information security management) standards, addressing cybersecurity aspects of automotive products and the broader information security management system to establish, implement, maintain, and continually improve confidentiality, integrity, and availability, as well as meeting the cybersecurity standards and product requirements established by our OEM customers;
•conducting regular network and endpoint monitoring, vulnerability assessments, and penetration testing to improve our information systems;
39
•providing cybersecurity training programs for employees, management, and directors, including conducting periodic phishing tests to promote awareness for all employees and all contractors with access to corporate email systems;
•leveraging industry best practices for incident handling to help identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident, and participating in an industry information sharing and analysis center;
•employing threat intelligence monitoring processes to model, research, and respond to cyber threats in a proactive manner;
•closely monitoring emerging data protection laws and implementing changes to our processes accordingly;
•undertaking a periodic review of public-facing policies and statements related to cybersecurity;
•carrying information security risk insurance that may provide some protection against the potential losses arising from a cybersecurity incident; and
•tracking key performance indicators pertaining to cybersecurity incidents, response and recovery, vulnerabilities, and risks.
These approaches vary in maturity across the business and we work to continually improve them.
Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall enterprise risk management assessment process, covering all company risks. As part of this process appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations.
We conduct regular internal reviews of our cybersecurity program which are overseen by our executive management, and material issues are presented to the board of directors. Our cybersecurity department also participates as part of our regular quarterly Disclosure Committee to review risks requiring disclosures in financial reporting.
Our processes also address oversight and identification of cybersecurity threat risks from our use of third-party service providers, including those in our supply chain. This involves, among other things, conducting pre-engagement risk-based diligence and ongoing monitoring as needed. We also engage third-party service providers from time to time to assist in risk assessment and implementation of monitoring tools, and we review our cybersecurity controls with auditors.
Our business strategy, results of operations and financial condition have not been materially affected by cybersecurity risks, threats, or incidents in the past, and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none. We continue to invest in the cybersecurity and resiliency of systems and products and to enhance our internal controls and processes, which are designed to help protect our systems, products, and the information they contain. Nevertheless, we cannot guarantee that we will not be materially affected in the future by such risks or experience future material incidents.
We more fully describe whether and how risks from identified cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under Item 1A. of this Form 10-K. See the risk factors captioned “We may experience difficulties in managing our growth and expanding our operations,” “We are subject to cybersecurity risks to our and our suppliers’ operational systems, security systems, infrastructure, integrated software in our LiDAR solutions and customer data processed by us or third-party vendors or suppliers and any material failure, weakness, interruption, cyber event, incident or breach of security could prevent us from effectively operating our business” and “Failures, or perceived failures, to comply with privacy, data protection, and information security requirements in the variety of jurisdictions in which we operate may adversely impact our business, and such legal requirements are evolving, uncertain and may require improvements in, or changes to, our policies and operations.”
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management.
The Audit Committee of our Board (“Audit Committee”) is responsible for the oversight of cybersecurity, including assessment, prevention, detection, and remediation of cyber risks, threats and incidents. Multiple times per year, the Audit Committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, our incident response plan, and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Audit Committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging cybersecurity threat risks, and describing the Company’s ability to mitigate those risks, and discusses such matters with our Vice President of IT, who is
40
responsible for cybersecurity and is supported by our Chief Legal Officer. Members of the Audit Committee also regularly engage in ad hoc conversations with management on cybersecurity-related matters and news events and discuss any updates to our cybersecurity risk management and strategy programs. When incidents occur, depending on the nature and severity, the Audit Committee Chair is notified immediately, and incidents are further reviewed periodically with the Audit Committee. Material cybersecurity matters are also periodically reviewed with the full Board of Directors.
41