FUELCELL ENERGY INC 10-K Cybersecurity GRC - 2024-12-27

Page last updated on December 27, 2024

FUELCELL ENERGY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-27 16:58:55 EST.

Filings

10-K filed on 2024-12-27

FUELCELL ENERGY INC filed a 10-K at 2024-12-27 16:58:55 EST
Accession Number: 0001558370-24-016497

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECU RITY The Company’s Board of Directors (the “Board”) recognizes the critical importance of maintaining the trust and confidence of our customers, business partners, and employees. The Board is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management (“ERM”). The Company’s cybersecurity policies, standards, processes, and practices are integrated into the Company’s ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving operational continuity and the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Risk Management and Strategy As one of the critical elements of the Company’s overall ERM approach, the Company’s cybersecurity program is focused on the following key areas: ● Governance: As discussed in more detail under the heading “Governance,” the Board’s oversight of cybersecurity risk management has been delegated to the Audit, Finance and Risk Committee of the Board (the “Audit Committee”), which interacts with the Company’s ERM function, the Company’s Global Vice President of Information Technology, the Company’s Director of Cyber Security, and other members of management and relevant management committees and councils. ● Collaborative Approach: The Company has adopted a cross-functional approach toward identifying, prioritizing, and implementing the means to protect information technology systems and its employees from cybersecurity threats. Additionally, the Company has established communications protocols and processes to escalate cybersecurity incidents to engage management as needed to make timely decisions regarding incident response, recovery, and any required disclosures. ● Technical Safeguards: The Company uses an array of complex technologies and services to protect its information systems and employees from cybersecurity threats. Examples include firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls. These safeguards are evaluated and improved through learnings derived from vulnerability assessments, penetration tests, and cybersecurity threat intelligence. ● Incident Response and Recovery Planning: The Company has defined and maintains cross-functional incident response and recovery plans that will guide the Company’s response to a cybersecurity incident. These plans are reviewed by senior management and are evaluated through tabletop exercises on a regular basis. ● Third-Party Risk Management: The Company uses a risk-based approach to identify and manage cybersecurity risks from third parties, including vendors and service providers. The focus of these efforts is to identify and mitigate threats that could impact Company operations. ● Education and Awareness: All new hires are required to complete mandatory cybersecurity awareness training upon joining the Company. Follow-on training is then assigned to all employees on a regular basis. Training assignments reinforce the Company’s security and information technology acceptable use policies, while also helping employees identify and properly respond to cybersecurity threats. To help assess and maintain awareness, training is supplemented with simulated phishing e-mails that are sent on a regular basis. The Company engages third parties in the periodic assessment and testing of the Company’s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including penetration testing, vulnerability assessments, tabletop exercises, and other activities focused on evaluating the effectiveness of our cybersecurity measures and planning. The results of such assessments influence the Company’s tuning of cybersecurity policies, standards, processes and practices, the results of which are shared with the Board and the Audit Committee. Governance The Board, in coordination with the Audit Committee, oversees the Company’s ERM process, including the management of risks arising from cybersecurity threats. The Board and the Audit Committee each receive regular updates on cybersecurity program key metrics, outstanding vulnerabilities, and emerging cybersecurity risks. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. The Global Vice President of Information Technology and Director of Cyber Security work in close partnership with the Company’s senior leadership team to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. This collaboration work includes activities in support of the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and to report such threats and incidents to the Audit Committee and others when appropriate. The Global Vice President of Information Technology earned a Bachelor of Science Degree in Management Information Systems from Western Connecticut State University and has served in various roles in information technology and information security for over 30 years, including serving in leadership roles of two large public companies. The Director of Cyber Security earned a Bachelor’s Degree in Information Systems from Western New England University and has extensive cybersecurity leadership experience, including expertise in threat data analytics, digital forensics, and data recovery. Prior to joining the Company, the Director of Cyber Security formed and served as CEO of a successful incident response and cybersecurity consulting firm. Impacts of Cybersecurity Threats To date, there have been no cyber security threats or incidents that have materially impacted our operations or financial condition. However, as a result of risks from cybersecurity threats, including as a result of previous cybersecurity incidents, we continue to allocate substantial resources to sustain and enhance our cyber security capabilities, which allocation of resources has in turn materially affected our business strategy and processes. Despite these investments, we cannot be certain that the protective measures and processes implemented will be successful or adequate to counter all current and emerging risks and threats. A significant cybersecurity incident involving our systems and data, or those of our customers, business partners or vendors, could have a materially adverse effect on our business strategy, results of operations and financial condition.

Company Information