ChargePoint Holdings, Inc. - (CHPT)

10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity
Risk Management Strategy and Framework
ChargePoint relies on critical internal and third-party information technology systems, including its Cloud Services, mobile applications, networked charging systems and network operating system, to deliver its products and services to charging station owners and EV drivers. In addition, ChargePoint stores and maintains personal, confidential and private information, including information related to its customers, vendors, mobile application users and employees. ChargePoint refers to the foregoing as its “IT Infrastructure and Confidential Information.”
To safeguard the privacy and security of ChargePoint’s IT Infrastructure and Confidential Information, ChargePoint has implemented a nine-point information security management program designed to identify cybersecurity threats, assess risks, implement remediation measures, and to support internal or external reporting, as set forth below:
Product & Application Security – focuses on building capabilities to detect, mitigate, and monitor security risks to ChargePoint’s hardware (networked charging stations, embedded devices, and telematics devices) and software (Cloud Services, web and mobile) products. ChargePoint conducts internal and external penetration tests, scans code and runs an active bug bounty program to detect security flaws within its architecture, design, and product components. ChargePoint’s comprehensive risk management plan then associates identified findings to ChargePoint’s risk mitigation roadmaps;
Cloud & IT Infrastructure Security – focuses on detecting, mitigating, and monitoring risks to ChargePoint’s critical information technology and Cloud infrastructure that supports its network and products. ChargePoint has configured tools to continuously scan its Cloud infrastructure operating systems, containers, and code pipeline to detect vulnerabilities and software flaws, which are then remediated through its patch management program;
Data Security – focuses on building capabilities to detect, mitigate, and monitor risks to confidential (intellectual property, financials, etc.) and sensitive data (customer data, personally identifiable information, security data, etc.) and secures the data at rest and in transmission through cryptographic mechanisms;
Identity & Access Management Security – focuses on securely creating and managing identities and authorizing appropriate role-based access to ChargePoint’s network environment based on best practices;
Security Compliance – focuses on complying with applicable cybersecurity regulatory requirements and continuously monitoring the ChargePoint network environment to detect and mitigate non-compliance. ChargePoint engages external auditors and consultants to assess its information security management program as well as compliance with standards. As of January 2024, ChargePoint’s information security management programs have been certified as compliant with the ISO: 27001, SOC 2 Type 2, PCI DSS standards and with the Federal Risk and Authorization Management Program (FedRAMP);
End User Security Risks – focuses on building capabilities to detect, monitor and mitigate security risks that arise from negligence and malicious insider intent. In addition to securing endpoints and their access to ChargePoint’s network environment, ChargePoint implements an active cybersecurity training and awareness program for its workforce which
46

includes cybersecurity awareness training for all employees during onboarding and then annually thereafter. Similarly, each employee that has access to ChargePoint’s payment processing information technology environment or dedicated federal cloud environment are provided specific PCI DSS and FedRAMP awareness training prior to being granted such access and annually thereafter. ChargePoint also conducts annual phishing tests and leverages internal public forums such as townhalls, slack channels, and email newsletters to provide guidance and keep employees updated on the latest cybersecurity threats, trends, and attacks;
Third-Party Security Risks – focuses on building capabilities to detect, mitigate, and monitor security risks that arise from vendors and suppliers. All ChargePoint third-party service providers are subject to a ranking and risk assessment evaluation prior to contracting with such service provider, during which time, ChargePoint assesses the third-party service providers’ security posture, practices, and relevant certifications;
Cyber Threats – focuses on building cyber threat identification capabilities by, among other methods, implementation of manual and automated tools, subscribing to reports and services to identify, detect, monitor and mitigate cyber threats in ChargePoint’s environment on an ongoing basis. In the event a threat or risk is identified, ChargePoint maintains and implements an incident response plan. Incidents, once identified or reported, are investigated by the security operation center (SOC) and incident response (IR) teams to determine the magnitude of any impact, exposure to and affects upon ChargePoint assets (if any), and to work to respond to the incident, quarantine any threat and minimize exposure to ChargePoint and its customers or vendors; and
Privacy – focuses on building capabilities to safeguard the privacy of ChargePoint’s customers, employees, and partners in alignment with local and global privacy regulations.
Assessing, identifying and managing cybersecurity related risks are integrated into ChargePoint’s overall risk operating model. To the extent cybersecurity risks are identified, risk leads are assigned to gather findings and identify gaps, escalate critical or high risks and report findings to ChargePoint’s Chief Information Security Officer (“CISO”). The CISO presents critical risks and risk heat maps to the Audit Committee of the Board of Directors at least annually or more frequently as necessary. Despite ChargePoint’s investments to detect, mitigate, and monitor risks across its products, services, and operational environment, no information security management program can fully guarantee protection against all potential cybersecurity risks, and there can be no assurances that ChargePoint will not be materially affected by such risks in the future. ChargePoint remains committed to continuously enhancing its information security management program to safeguard its IT Infrastructure and Confidential Information.
Cybersecurity Leadership and Management
ChargePoint’s information security management programs are designed and implemented by its Chief Information Security Officer (CISO) and Sr. Director, Information, Security and Privacy, who, combined, have thirty-three years of experience in information technology security and privacy. ChargePoint’s management team, including its information technology (IT) management team, is responsible for assessing and managing its material risks from cybersecurity threats. The IT management team has primary responsibility for ChargePoint’s overall cybersecurity risk management program and supervises both its internal cybersecurity personnel and retained external cybersecurity consultants. ChargePoint’s IT management team has certifications from various organizations, such as CISSP (Certified Information Security Professional), CEH (Certified Ethical Hacker), CIPP (Certified Information Privacy Professional), CIPM (Certified Information Privacy Manager), OSCE (Offensive Security Certified Expert) and CISA (Certified Information Systems Auditor).
ChargePoint’s IT Infrastructure and Confidential Information is managed and secured across functional reporting lines with segregated duties for responsible individuals for (1) Cloud security, SOC, and individual access management, (2) governance, risk, compliance and privacy, (3) product security, and (4) infrastructure. ChargePoint’s risk assessment methodology implements continuous reporting requirements of ChargePoint’s cybersecurity risk management performance, which includes (i) a quarterly risk program status report to ChargePoint’s CISO and Sr. Director, Information, Security and Privacy and (ii) executive reports by both the CISO and Sr. Director, Information Security and Privacy on ChargePoint’s cybersecurity risk posture to executive leadership no less than every six months.
Board Oversight of Cybersecurity Risk
The Audit Committee of ChargePoint’s Board of Directors has primary responsibility for overseeing ChargePoint’s information security management program relating to its IT Infrastructure and Confidential Information. As part of the Audit Committee’s oversight of risks from cybersecurity threats, the CISO leads an annual review and discussion with the Board of Directors dedicated to ChargePoint’s information security management program. The CISO provides updates on ChargePoint’s information security management program to the Audit Committee at least every six months and additional updates throughout the year as necessary.
For further information regarding the risks to ChargePoint associated with cybersecurity incidents and other events, including information and security breaches, and how such risks may affect ChargePoint, see the Risk Factors in Part 1, Item 1A of this Annual Report on Form 10-K entitled, “ChargePoint is highly reliant on its networked charging solution and information technology systems and
47

data, and those of its service providers and component suppliers, any of which systems and data may be subject to cyber-attacks, service disruptions or other security incidents, which could result in data breaches, loss or interruption of services, intellectual property theft, claims, litigation, regulatory investigations, significant liability, reputational damage and other adverse consequences” and “Computer malware, viruses, ransomware, hacking, phishing attacks and similar disruptions could result in security and privacy breaches and interruption in service, which could harm ChargePoint’s business.” To date, ChargePoint has not identified any risks from a cybersecurity threat or incident, that the Company believes has, or is reasonably likely to, materially affect ChargePoint, its business strategy, results of operation or financial condition.