Bloom Energy Corp 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Bloom Energy Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:14:33 EST.

Filings

10-K filed on 2025-02-27

Bloom Energy Corp filed a 10-K at 2025-02-27 17:14:33 EST
Accession Number: 0001628280-25-008747

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C, Cybersecurity of this Annual Report on Form 10-K for further information. We have developed a significant patent portfolio to protect elements of our proprietary technology. As of December 31, 2024, we had 358 active patents and 148 patent applications pending in the U.S., and we had an international patent portfolio comprising 177 active patents (counting patents by where enforceable) and 430 patent applications pending. Our U.S. patents are expected to expire between 2025 and 2044. While patents are an essential element of our intellectual property strategy, our business is not dependent on any one patent or pending patent application. We regularly review our development efforts to assess the existence and patentability of new intellectual property. We pursue the registration of our domain names, trademarks, and service marks in the U.S. and some international locations. “Bloom Energy” and the “BE” logos are our registered trademarks in certain countries for use with the Energy Server system Index to Financial Statements and our other products. We also hold registered trademarks for, among others, “Bloom Box,” “BloomConnect,” “BloomEnergy,” and “Energy Server” in various countries. Bloom has several trademark applications pending, including applications directed to new product categories, expanded use applications, and applications on several logos used by the Company. When appropriate, we enforce our intellectual property rights against other parties. For more information about risks related to our intellectual property, please see the risk factors set forth under the caption Part I, Item 1A, Risk Factors - Risks Related to Our Intellectual Property . Manufacturing Facilities Our primary manufacturing facilities are in Fremont, California, and Newark, Delaware. We own our 178,000 square-foot manufacturing facility in Newark, which was our first purpose-built Bloom Energy manufacturing center and was designed specifically for copy-exact duplication as we expand, which we believe will help us scale more efficiently. Our Newark facility includes an additional 25 acres available for factory expansion and/or the co-location of supplier plants. In September 2023, as part of the approved restructuring plan (the “Restructuring Plan”), we initiated a closure of a 50,000 square-foot manufacturing, warehousing, research and development (“R&D”) facility in Sunnyvale, California, which lease expired in December 2023. Under the Restructuring Plan, we consolidated this Sunnyvale facility with our manufacturing facility in Fremont, California, and performed an optimization of our manufacturing workforce. The restructuring activities were completed in the first quarter of fiscal year 2024. For more information about the restructuring, please see Part II, Item 8, Note 12 - Restructuring. We lease various manufacturing facilities in California and Delaware. We lease an 89,000 square-foot R&D and manufacturing facility in Fremont, California, which became operational in April 2021. Additionally, in Fremont, California, in June 2022, we opened a new research and technical center and a global hydrogen development facility with a total space of 73,000 square feet, and, since July 2022, we leased a 164,000 square-foot manufacturing facility that expires in February 2036. The lease terms of our Repair & Overhaul (“R&O”) manufacturing facilities in Newark, Delaware, with a total area of 56,000 square feet expire in December 2026 and April 2027. On December 31, 2024, the lease of our 60,000 square-foot manufacturing, warehousing, and R&D facility in Sunnyvale, California, ended. We plan to vacate this facility in the first quarter of fiscal year 2025 and consolidate these operations with our manufacturing facility in Fremont, California. We maintain a light-assembly facility in the Republic of Korea, in connection with our efforts to develop a local supplier ecosystem through a joint venture with SK ecoplant. Please see Part I,
ITEM 1C - CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, or availability of our information technology systems or any information residing therein. Our cybersecurity risk management program includes a cybersecurity incident response plan. We design and assess our program based on the Center for Internet Security (“CIS”) 18 Framework. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the CIS 18 Framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes: - Periodic risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment. - A security team principally responsible for managing our cybersecurity risk assessment processes, security controls, and response to cybersecurity incidents, supported by a virtual Chief Information Security Officer (“vCISO”) that we have engaged through a third-party IT security firm. - The use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security controls. - Our Internal Audit department, which monitors certain IT systems controls that are integrated into our larger Sarbanes-Oxley control environment. - Periodic cybersecurity awareness training for our employees and contractors with access to our information technology systems. Index to Financial Statements - A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents, including incidents that could be indicators of attack against availability, integrity and confidentiality of information systems. - A third-party risk management process for service providers, suppliers, and vendors that includes examining their security postures and assessing their data and system protection controls. Since the beginning of the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, but we face certain ongoing cybersecurity threats that, if realized, are reasonably likely to materially affect us. For a discussion of how cybersecurity risks could materially affect us in the future, please see the risk factors set forth under the caption Part I, Item 1A, Risk Factors - Risks Related to our Operations . Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program. The Board receives periodic reports from the Audit Committee and management on these and other activities. The Audit Committee receives periodic reports from management on our cybersecurity risks, including presentations from our Chief Information Officer, vCISO, internal security staff, and external experts. This includes updates to the Audit Committee, as appropriate, regarding any significant cybersecurity incidents, or multiple incidents that could be significant in the aggregate. These updates may occur in between regularly scheduled Audit Committee meetings. At the management level, the Enterprise and Risk Management Committee (the “ERM Committee”) discusses cybersecurity topics, including any potentially material cybersecurity incidents, as part of its oversight of the company’s significant risks. Our Chief Information Officer, collaborating with the broader management team, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including: - periodic briefings from internal security personnel; - periodic reviews of risk management measures implemented to prevent, detect, mitigate, and remediate cybersecurity risks and incidents, including our incident response plan; - threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and - alerts and periodic reports produced by security tools deployed in our IT environment. Our Chief Information Officer has more than 20 years of cybersecurity and information technology experience and she has served as the Chief Information Officer for multiple technology companies. Our vCISO and their third-party IT security firm includes a global team of cybersecurity professionals with significant industry experience. Similarly, the members of the ERM Committee possess significant risk management experience obtained by their collective years of experience at Bloom and other companies of similar or greater complexity. Index to Financial Statements

Company Information