Fluence Energy, Inc. 10-K Cybersecurity GRC - 2024-11-29

Page last updated on December 2, 2024

Fluence Energy, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-29 15:33:59 EST.

Filings

10-K filed on 2024-11-29

Fluence Energy, Inc. filed a 10-K at 2024-11-29 15:33:59 EST
Accession Number: 0001868941-24-000070

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management We manage our cybersecurity risks through an information security management system (ISMS) that falls under our overarching integrated management system (IMS) for quality and safety. Our cybersecurity risk management program and supporting ISMS focus our efforts on reducing residual risks to our critical corporate assets. The materiality of these risks drives the selection of appropriate controls and the prioritization of the projects and operational tasks of our cybersecurity teams. Our approach to controlling these risks is designed and assessed based on our selection and implementation of certain controls from the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. These controls are implemented to help us identify our critical assets and systems, protect them through preventative measures, detect attempts to compromise their confidentiality, integrity, and availability, respond to attacks by containing their progression and notifying relevant parties, and recover effectively if successfully compromised. Key elements of our cybersecurity risk management program include but are not limited to: authentication and authorization procedures, employee security awareness training, logging and monitoring procedures, network segmentation requirements, in transit and at rest encryption of certain data we deem sensitive, periodic vulnerability scanning, periodic control validation through penetration testing, periodic phishing attack simulations, production change control requirements, periodic tabletop exercises, and written incident response plans. We also use external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes. To date, we are not aware of any risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Fluence. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For more information on potential cybersecurity risks, please see Part I, Item 1A “Risk Factors” for the risk factor entitled " Our business depends on our ability to implement improvements to and properly maintain and protect the continuous operation and data integrity of our information technology infrastructure and other business systems and the inability to do so may have a material adverse effect on our reputation and harm our business prospects, financial conditions, and operating results." Cybersecurity Governance Our cybersecurity program and supporting ISMS are governed by our Cybersecurity Steering Committee, which is chaired by our Chief Information Security Officer (“CISO”) and is comprised of other members of our management team, including individuals from our finance, supply chain, product, information technology (“IT”), and legal departments. The Cybersecurity Steering Committee convenes quarterly to review the ISMS, identify new material risks and potential treatment plans that are recorded in our cybersecurity 57 risk register, and review the overall health of security key risk indicators, technical key performance indicators, and roadmaps for the expected delivery of new and updated controls. Our CISO, in coordination with our Chief Information Officer (“CIO”) to whom the CISO reports, leads our approach to assessing and managing cybersecurity-related risks. Our CISO has over thirty years of experience in IT, with twenty years in information security, as well as a background in software engineering and in leading security engineering teams, technical services and support teams, and sales engineering teams. Our CIO has over 20 years of experience with information technology and cyber security and a background in software engineering. Our CIO has served in lead cyber security roles at global public companies and holds a CISA certification from the Information Systems Audit and Control Association. We have a written cybersecurity incident escalation process overseen by senior leadership, and when senior leadership deems appropriate, a materiality committee is convened comprised of certain members of management who assess whether incidents must be reported to the SEC and/or the appropriate authorities. While Fluence’s board of directors oversees all enterprise risks, the Audit Committee of our board of directors has primary responsibility for overseeing cybersecurity risks and management’s implementation of our cybersecurity risk management program. The Audit Committee receives quarterly updates from the CISO and CIO. These updates typically cover topics such as: overview of material cybersecurity incidents that have occurred since the last update, overview of residual cybersecurity risks to our critical business assets, recent investments in our cybersecurity program, and relevant cybersecurity operational metrics. The Audit Committee will report material updates regarding cybersecurity to the Board. Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.

Company Information