Lucid Group, Inc. - (LCID)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.
At Lucid, cybersecurity risk management is an integral part of our overall enterprise risk management program. We have made significant investments in people, processes, and technology to protect Lucid’s connected vehicles, services, confidential business information, and employee and consumer personal data. We have implemented multiple and varied processes and technologies for the avoidance, identification, assessment, mitigation, and remediation of risks from cybersecurity threats and incidents designated to protect against the cybersecurity risk landscape. We are continuously assessing and enhancing our protection, detection, response, and recovery capabilities and regularly engage with the cybersecurity communities including Auto-ISAC, third-party cybersecurity and compliance partners, internal stakeholders, and organizations leading best practices, to support our goals and objectives. At its core, our cybersecurity risk management program integrates multiple teams across the organization, including our IT, digital and physical product, infrastructure, and legal teams, with leadership and oversight by executive management, the Audit Committee of the Board of Directors (“Audit Committee”), and the Board of Directors (“Board”).
Governance
Board and Committee Oversight
Our Board has oversight responsibility for our overall enterprise risk management and delegates cybersecurity risk management oversight to the Audit Committee. The Audit Committee oversees Lucid’s policies and practices with respect to risk assessment and risk management, including discussing with management (i) Lucid’s major financial, cybersecurity, privacy and other information technology risk exposures; (ii) the steps that have been taken to monitor and control such exposures; and (iii) any material cybersecurity threats or incidents. The Audit Committee and the Board receive regular reporting from Lucid’s management, including our Senior Director of Security and Compliance and Senior Director of Cybersecurity, Data, and Connectivity, on the status of our cybersecurity program and ad hoc reporting on material cybersecurity threats and incidents.
Management’s Role
At the management level, our information security steering committee, with oversight by our VP of IT and General Counsel, is responsible for leading our cybersecurity risk management program and enterprise cybersecurity matters. Under the information security steering committee, we have a cybersecurity risk and compliance committee, led by our Senior Director of Security and Compliance and Senior Director of Cybersecurity, Data, and Connectivity, which is primarily responsible for operational review of cybersecurity threats and incidents as part of our incident response process. The cybersecurity risk and compliance committee receives reports from our cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents. For potentially material cybersecurity threats and incidents, we escalate these to the information security steering committee, which, with additional oversight and support from our CEO, would raise such threats and incidents to our Audit Committee Chair and, as appropriate, to our Board as they arise.
Our Senior Director of Security and Compliance and Senior Director of Cybersecurity, Data, and Connectivity, and the dedicated personnel on their teams have industry-recognized certifications such as Certified Information Security Manager, Certified information systems security professional, and Boardroom qualified Technology Expert, and experienced information systems security professionals and information security managers with many years of technical cybersecurity management experience.
Management of Cybersecurity Risk
Our Cybersecurity Risk Management Processes
Our cybersecurity risk management program provides a framework for handling cybersecurity threats and incidents by escalating risks, issues, and key decisions to management, the Audit Committee, and our Board. Our program is designated to protect our products and services, confidential business information (including intellectual property), and employee and consumer data and includes steps for detecting and monitoring cybersecurity threats and incidents, assessing the severity of such threats or incidents, identifying the source of such threats or incidents, including whether such threats or incidents are associated with a third-party vendor or service provider, implementing cybersecurity countermeasures and mitigation strategies and informing management, the Audit Committee, and our Board of potentially material cybersecurity threats and incidents. In addition, our cybersecurity team provides cybersecurity training to employees during the onboarding process and periodic basis thereafter, with specialized training and tabletop exercises for our core incident response teams and executive management on at least an annual basis.
69



Under the oversight of the information security steering committee, our cybersecurity risk management program is implemented day-to-day by our cybersecurity team, who engage in identifying, considering and assessing risks from cybersecurity threats and incidents on an ongoing basis; establishing processes to monitor such cybersecurity risks; putting in place mitigation and remediation measures; policy review and development; product support and deployment; and maintaining our cybersecurity measures. Our cybersecurity team also implements ongoing data loss prevention tools and capabilities, customer security measures, incident response measures, and processes for management of third-party vendors and service providers. Cybersecurity incident response is driven by our Lucid Data and Security Incident Response Plan. Based upon the severity assessment and ranking, incidents are handled by the relevant teams for technical, operational, and legal risk management.
Lucid has also implemented processes to integrate our cybersecurity risk management processes into our overall enterprise risk management system including within our greater product management, personnel management, and third-party vendor and service provider management processes.
Third-Party Auditors and Consultants in Cybersecurity Risk Management
Our cybersecurity team also periodically engages third-party cybersecurity experts for risk assessment and system enhancements. We utilize third-party auditors and assessors in connection with our cybersecurity risk management program to identify gaps and develop policies, procedures, and strategies designed to improve the program posture. We also use third-party consultants to obtain and will use them to maintain relevant organizational cybersecurity certifications, including UN Regulation 155 Vehicle Cybersecurity Approval. As a general matter, we have from time-to-time utilized third-party cybersecurity consultants on an ad hoc basis in specific instances, including (i) to address potential cybersecurity threats and incidents, (ii) to conduct cybersecurity assessments and penetration testing on high value systems and applications; and (iii) to develop internal capabilities to improve our cybersecurity defense.
Cybersecurity Risk Management of Third-Party Vendors and Service Providers
We have also implemented risk management practices designed to minimize the material cybersecurity risks that arise from utilizing third-party vendors and service providers that receive or have access to Lucid confidential information or personal data. In order to oversee and identify such risks, we have implemented the following processes: (i) a third-party security risk management program designed to assess security risk of new third-party vendors or service providers and develop countermeasures to manage unacceptable risks; (ii) provisions in our third-party vendors and service provider contracts with added security requirements; (iii) training procurement teams on management of third-party vendor and service providers; (iv) role-based access controls for third-party personnel; and (v) data transfer mechanisms for the sharing of data with third parties. While we are in the process of increasing the resiliency of these capabilities across the board, our control over and ability to monitor the security posture of third-party vendors and service providers remains limited and there can be no assurance that we can prevent, mitigate or remediate the risk of any compromise or failure in the security infrastructure owned or controlled by such third parties. Additionally, any contractual protections with such third parties, including our right to indemnification, if any at all, may be limited or insufficient to prevent a negative impact on our business from such compromise or failure.

70