Hyliion Holdings Corp. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

Hyliion Holdings Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:21:36 EST.

Filings

10-K filed on 2025-02-25

Hyliion Holdings Corp. filed a 10-K at 2025-02-25 16:21:36 EST
Accession Number: 0001759631-25-000051

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We understand the critical importance of cybersecurity and proactively manage vulnerabilities to ensure the confidentiality, integrity, and availability of our information assets. While we have not experienced any material risks from cybersecurity incidents or threats to date, we recognize the evolving threat landscape and remain vigilant in our security posture. Risk Management and Strategy Our cybersecurity risk management program leverages the National Institute of Standards and Technology (“NIST”) 800-37 framework as a foundation, customized to align with our entity size, risk profile, and industry best practices. We believe that leveraging the NIST framework as a foundation ensures a balanced approach for mitigating vulnerabilities while maintaining operational efficiency. We maintain a comprehensive incident response plan with clearly defined roles and responsibilities. In the event of an incident, the plan outlines notification procedures, containment measures, eradication steps, and recovery processes. We also conduct annual reviews to ensure the plan’s effectiveness. We conduct annual cybersecurity assessments and implement controls around any deficiencies in security that are identified, engaging third-party consultants to assist which include tabletop exercises to ensure that our incident management processes function as intended. This assessment covers entity-level controls, threat management, and reviews of critical third-party security measures. Materiality of individual cybersecurity incidents is determined by a comprehensive assessment framework considering, but not limited to, the following factors: - Impact on Business Operations: Potential disruptions to critical systems, services, or financial transactions. - Data Sensitivity: The nature and sensitivity of the data involved, with incidents concerning personally identifiable information or highly confidential data deemed more material. - Regulatory Compliance: Potential violations of cybersecurity laws, regulations, or industry standards. - Reputational Risk: Harm to the Company’s reputation, customer trust, and brand value. - Legal Obligations: Legal requirements for reporting incidents and potential consequences of non-compliance. Identification, Assessment, and Reporting of Cybersecurity Threats We employ a multi-layered approach to identify, assess, and report potential cybersecurity threats: - Threat intelligence tracking: We actively monitor relevant-threat intelligence feeds and industry best practices to stay informed about emerging threats and vulnerabilities. - Managed Detection and Response (“MDR”) partnership: We have partnered with a reputable third-party MDR provider to enhance our threat detection and response capabilities. This service provides continuous monitoring, analysis, and proactive response to potential threats, ensuring timely identification and mitigation of cybersecurity incidents. - Metrics and Measurements: We capture telemetry from our IT infrastructure in order to measure the effectiveness of our security controls and identify areas for improvement. Third-Party Service Providers We take security seriously when choosing and working with third-party providers and have established processes to oversee and manage risks associated with third-party service providers. We require providers to share their security reports (System and Organization Controls (“SOC”) 1 and SOC 2) prior to initial engagement and ongoing on an annual basis. We believe that the review of such reports helps us minimize the risk of data breaches or other problems resulting due to our third-party relationships, especially with software-as-a-service (“SaaS”) providers. Reporting We have a communication process for incidents based on their severity as outlined in our incident response plan. When a major incident is detected, executive leadership is informed within 24 hours. The audit committee and Chief Financial Officer are notified, and a detailed report is submitted, within 24-48 hours. For moderate incidents, the notification timeframe is 72 hours, and the detailed report is submitted to the audit committee within five to seven days. If a cybersecurity incident is deemed material, it will be reported promptly under SEC guidance. Management and Board of Director Oversight of Cybersecurity Threats The Company’s Chief Financial Officer (“CFO”) and the audit committee of the board of directors of the Company (the “Board”) has responsibility for the oversight of cybersecurity threats and incidents. The audit committee conducts periodic reviews of the Company’s cybersecurity programs, policies, and risk management strategies to ensure alignment with industry best practices. Additionally, our CFO, leveraging extensive experience in managing technology infrastructure and cybersecurity risk, performs internal reviews with operational teams to assess cybersecurity readiness and enhance incident response strategies. The Board’s oversight is further strengthened by the presence of a director with over 30 years of experience advising global companies on technology and operations, including cybersecurity risk management. Our internal IT team, with over 40 years combined experience in cybersecurity, plays a critical role in implementing security controls, threat monitoring, and incident response. This multi-tiered governance structure ensures that cybersecurity remains a top priority at both the executive and operational levels.

Company Information