Xos, Inc. - (XOS)
10-K Filing Date: March 29, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have established policies and processes designed to assess, identify and manage material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. Through the use of manual and automated tools, analysis of reports of threats and threat actors, evaluations of threats reported to us, and internal and external audits, we routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. Following these risk assessments, we re-design, implement, and maintain reasonable safeguards designed to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our Director of Information Technology (IT), who reports to our Chief Operating Officer (COO), as well as our legal department.
As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with our IT department and management. Personnel at various levels and departments are made aware of our cybersecurity policies through routine training sessions and assessments. Additionally, depending on the environment, systems, and data at issue, we implement and maintain various measures designed to manage and mitigate material risks from cybersecurity threats, including encryption of data, network security controls, cybersecurity insurance, and asset management, tracking, and disposal. We also engage third party service providers to assist us in monitoring and testing our cybersecurity safeguards and compliance, such a cybersecurity software providers, professional services firms (including legal counsel) and firms that conduct security audits and perform user phishing tests and training.
We have not encountered cybersecurity challenges that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For additional information regarding risks from cybersecurity threats, please refer to Item 1A. Risk Factors in this Annual Report on Form 10-K, including “If our information technology systems, those of third parties upon which we rely, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; loss of customers or sales; and other adverse consequences.”
Governance
One of the key functions of our Board is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board is responsible for monitoring and assessing strategic risk exposure, and our management is responsible for the day-to-day management of the material risks we face. Our Board administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee.
Our Director of IT, who reports to our COO, is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our Director of IT has over 15 years of experience in cybersecurity matters for a range of public and private companies, including leadership roles in IT at three previous public companies.
Our Director of IT oversees our cybersecurity policies and processes, including our incident response processes. Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management and/or the Board, depending on the circumstances.
49
The Audit Committee and Board receive periodic briefings from the Director of IT regarding our company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing and activities of third parties. Our management maintains an active dialogue with the Board and Audit Committee on risk management matters, which includes cybersecurity.