Enviva Inc. 10-K Cybersecurity GRC - 2024-10-03

Page last updated on October 3, 2024

Enviva Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-03 17:13:11 EDT.

Filings

10-K filed on 2024-10-03

Enviva Inc. filed a 10-K at 2024-10-03 17:13:11 EDT
Accession Number: 0001592057-24-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks We may collect and store certain sensitive Company information, including proprietary and confidential business information, trade secrets, intellectual property, sensitive third-party information, and employee information. Our ability to manage our business functions efficiently and effectively depends significantly on the availability and security of this information. We seek to assess, identify, and manage cybersecurity risks through the processes described below: Risk Assessment A multi-layered approach and methodology designed to protect and monitor data and manage cybersecurity risk has been implemented. Regular assessments of our cybersecurity safeguards are conducted by independent cybersecurity vendors who specialize in application and network penetration testing, threat emulation, social engineering, and best practice gap assessments. Our IT Risk and Cyber Security department conducts regular audits and assessments to identify, evaluate, and manage cybersecurity risks. As a result of these assessments and audits, we endeavor to update IT infrastructure, technical controls, procedures, policies, and education programs to improve resilience to cybersecurity threats. Additionally, we assess third-party cybersecurity controls through a cybersecurity questionnaire and include security and privacy addenda to our contracts where applicable. Incident Identification and Response A cyber incident detection system has been implemented to help promptly identify cybersecurity incidents. In the event of any cybersecurity incident, we have a cross-functional incident response plan that is designed to provide for escalating actions to identify the cause, contain the incident, mitigate the impact, and efficiently restore normal operations. The incident response plan is reviewed annually, and a tabletop exercise testing the incident response plan is periodically conducted. Cybersecurity Training and Awareness We require all employees with access to our systems to complete an annual information and cyber security training and conduct simulated phishing campaigns to measure the effectiveness of the training program. Access Controls Users are provided with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions. A multi-factor authentication requirement has been implemented for employees and third parties accessing sensitive company information. Encryption and Data Protection Encryption methods are used to protect sensitive data in transit and at rest. This includes the encryption of customer data, financial information, and other confidential data. We engage third-party vendors, such as independent service auditors, consultants, regulatory auditors, law firms, forensic specialists, and other third-party service providers in connection with the above processes. We recognize that third-party service providers introduce cybersecurity risks. Additionally, we endeavor to include cybersecurity requirements in our contracts with service and solution providers and to require them to adhere to security standards and protocols. Further, we request that third-party service providers with access to personally identifiable information enter into data processing services agreements and adhere to our policies and standards. The above cybersecurity risk management processes are integrated into the Company’s overall enterprise risk management processes. Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management processes. Impact of Risks from Cybersecurity Threats We have experienced attempted cybersecurity attacks, but have not suffered any material adverse impacts to our business and operations as a result of such unsuccessful attempts. However, we acknowledge that cybersecurity attacks are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our IT systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. See Item 1A - “Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our IT systems. Board of Directors’ Oversight and Management’s Role Our Vice President, Information Technology oversees the Company’s cybersecurity initiatives. The head of the IT Risk & Cyber Security delivers quarterly updates to senior leaders, discussing the effectiveness of our cybersecurity strategy and to communicate our program, health, performance, metrics, and roadmap. In addition, our Vice President, Information Technology is responsible for upward reporting of emerging cybersecurity incidents. Recognizing the importance of cybersecurity to the success and resilience of our business, the Board considers cybersecurity to be a vital aspect of corporate governance. To facilitate effective oversight, our Cyber Security team holds discussions on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks. Our Cyber Security team is made up of highly experienced professionals with an extensive background in information security and risk management, including disciplines such as security architecture, system security, identity and access management, communication and network security, security operations and software development security. This background includes experience across a variety of industries and various relevant degrees and certifications. The Cyber Security team is supported by managed service providers who bring diverse expertise in areas such as network security, data protection, and threat intelligence.

Company Information