Page last updated on March 3, 2025
PLUG POWER INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 16:48:02 EST.
Filings
10-K filed on 2025-03-03
PLUG POWER INC filed a 10-K at 2025-03-03 16:48:02 EST
Accession Number: 0001558370-25-002049
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity Cybersecurity Risk Management We face a number of cybersecurity risks in connection with our business and recognize the growing threat within the general marketplace and our industry. In the ordinary course of our business, we use, store, and process data, including data of our employees, partners, collaborators, and vendors. Cybersecurity threats and incidents include attempts to gain unauthorized access to our systems and networks, or our partners, collaborators, vendors, or other third parties with whom we do business, to disrupt operations, corrupt data or steal confidential or personal information and other cybersecurity breaches. We consider cybersecurity risk a serious threat to our business. To help the Company identify, assess, and mitigate risks to this data and our systems, we have implemented a cybersecurity risk management program that is informed by recognized industry standards and frameworks and incorporates elements of the same. Our cybersecurity risk management program includes a number of components, including information security program assessments and continuous monitoring of critical risks from cybersecurity threats using automated tools. We periodically engage third parties to conduct risk assessments on our systems, including penetration testing and other vulnerability analyses . In 2024, Plug continued to fortify its comprehensive cybersecurity and risk controls. We maintain an insider threat program designed to identify, assess, and address potential risks from within our Company and evaluate potential risks consistent with industry practices, customer requirements, and applicable law, including privacy and other considerations. We mandated an annual cybersecurity awareness training module, enhanced our Information Technology Infrastructure Library (ITIL) based discipline of change and incident management, and overhauled our monthly patching/vulnerability management rigor. Additionally, Plug continued leveraging top-tier third party support for external and perimeter examination: completing exhaustive Penetration Testing and Vulnerability Scans (performed by OrbitalFire), establishing a robust Network Operations Center (NOC), and leveraging industry-leading endpoint monitoring and detection services (CrowdStrike). Additionally, we have implemented an employee education program whereby employees are able to attend cybersecurity awareness training during the onboarding process. Governance The Vice President of Information Technology (" VP of IT “) oversees the daily operations of our cybersecurity risk management program and plays a central role in assessing and managing critical risks from cybersecurity threats with the support of additional IT professionals. The VP of IT role is currently held by an individual who has approximately twenty years of experience in information security management, application portfolio management, and IT governance, risk, and compliance. The VP of IT periodically reports on the cybersecurity program to the Chief Financial Officer (“CFO”). Our governance framework includes oversight by the Audit Committee of the Board of Directors . The Audit Committee meets quarterly with the CFO regarding the cybersecurity risk management program, including as relates to critical cybersecurity risks and cybersecurity initiatives and strategies. Additionally, on an annual basis, the VP of IT reports the current state of cybersecurity risk management to the full Board of Directors. The Board of Directors, as a whole and through its committees, has responsibility for the oversight of risk management. Although we have designed our cybersecurity program and governance procedures above to mitigate cybersecurity risks, we have experienced, and we may in the future experience, threats to and breaches of our data and systems, including ransomware attacks and phishing attacks. To date, these risks, threats or attacks have not had a material impact on our operations , business strategy or financial results, but we cannot provide assurance that they will not have a material impact in the future. For more information about the cybersecurity risks we face, see the risk factor entitled “We are dependent on information technology in our operations, and the failure of such technology may adversely affect our business. Security breaches of our information technology systems, including cyber-attacks, ransomware attacks, or use of malware or phishing or other malicious techniques by threat actors, have in the past and could in the future lead to liability, impact our operations, or damage our reputation and financial results” in Item 1A, “Risk Factors”.
Company Information
| Name | PLUG POWER INC |
| CIK | 0001093691 |
| SIC Description | Electrical Industrial Apparatus |
| Ticker | PLUG - Nasdaq |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |