Page last updated on March 6, 2025
EVgo Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 16:21:53 EST.
Filings
10-K filed on 2025-03-06
EVgo Inc. filed a 10-K at 2025-03-06 16:21:53 EST
Accession Number: 0001558370-25-002400
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity Risk Management, Strategy and Governance. Risk Management and Strategy We maintain a cybersecurity risk management program designed to mitigate cybersecurity risks through a comprehensive framework that integrates cybersecurity into our overall risk management processes. Risk Assessment . Our internal cybersecurity team conducts regular assessments designed to assess, identify, and manage material risks from cybersecurity threats and vulnerabilities within our systems and processes. These assessments are part of our ongoing risk management strategy and inform strategic decisions regarding security investments and policy developments. The internal risk assessment process includes periodic reviews of our charging infrastructure, software applications and operational procedures against best practices and address current and potential threats. To augment our internal efforts, we engage third parties to conduct independent assessments of our cybersecurity posture. These external assessments provide an objective review of our security controls, breach readiness and compliance with industry standards and regulations. The insights gained from these audits inform refinements to our risk management strategies with respect to cybersecurity-related threats. Cybersecurity Policies and Procedures . We maintain a set of cybersecurity policies and procedures that are regularly reviewed and updated. These policies are crafted in accordance with certain components of the National Institute of Standards and Technology Cybersecurity Framework, which provides a policy foundation for critical infrastructure security. These policies govern our cybersecurity program, including but not limited to access control, system development life cycle management, change management, and incident response. Monitoring Controls . In addition to our cybersecurity policies and procedures, we place significant emphasis on monitoring controls as a critical component of our cybersecurity strategy. These controls are designed to enable us to consistently oversee and evaluate the effectiveness of our cybersecurity measures to help ensure prompt detection of and response to potential threats or anomalies. We maintain a continuous monitoring strategy that utilizes advanced tools and technologies to oversee our network infrastructure and digital assets. This includes data loss prevention controls, system log reviews and unusual activities that could indicate a potential security breach. Automated alert systems deployed as part of our monitoring controls are designed to enable rapid identification and escalation of suspicious activities. These systems are configured to detect a range of cyber threats, from malware infections to unauthorized access attempts. Cyber Incident Response and Reporting . Our Security Incident Response Policy is designed to enable prompt and effective action in the event of a cybersecurity incident to safeguard our information technology systems, customer data and overall business operations. We are cognizant of the ever-evolving landscape of cybersecurity threats and their potential to materially impact our operations. To date, we do not believe that we have experienced any cybersecurity incidents that have had a material adverse effect on our business strategy, operations or financial condition. However, we recognize that cybersecurity threats are a significant risk factor for any organization, especially those involved in digital infrastructure. See Part I, Item 1A, “Risk Factors - Risks Related to Our Business - Our systems are susceptible to various forms of cyber threats, including computer malware, viruses, ransomware, hacking attempts, phishing attacks and other network disruptions. These incidents have the potential to lead to security and privacy breaches, loss of proprietary information and interruptions or delays in our services and operations, any of which could significantly harm our business,” for further discussion. Detection and Analysis . Under our Security Incident Response Policy, all of our employees and other personnel are responsible for reporting any known, suspected or possible security events, including those that may have originated with a third-party service provider, to our Information Security Department, which promptly notifies our President, who serves as our Information Security Coordinator. The Information Security Coordinator reviews the initial facts and findings regarding any security events, provides direction to the Information Security Department regarding any additional information that should be obtained, and convenes a meeting of the SIRT to review the matter, including to determine if the event could constitute a security incident. The SIRT is composed of employees with expertise in various aspects of our operations including information security, information technology, DevOps, legal, and EVSE engineering , as well as senior leaders , including our President, Chief Financial Officer and Chief Legal Officer . Materiality Assessment, Mitigation and Reporting . Under our Security Incident Response Policy, the SIRT, under the leadership of the Information Security Coordinator, is responsible for promptly assessing the materiality of security events, developing our response to such events and, if a security event is determined to be a material incident, to oversee our disclosures regarding the incident as required by the rule adopted by the SEC related to cybersecurity disclosures. In determining whether a security event could constitute a security incident, the SIRT considers all facts and known information, including (without limitation) the potential harm to customers, employees and other parties; possible effects on our operations, financial statements, brand perception, reputation, customer or vendor relationships and competitiveness; the risk of fraud, extortion or intellectual property theft; litigation, regulatory and other legal risk; and other potential impacts. The Chair of the Audit Committee is informed of the SIRT’s review of cybersecurity events and its determinations as to the materiality of such events. The Security Incident Response Policy also includes procedures for the SIRT to coordinate the containment, eradication, mitigation, recovery and remediation related to security events and security incidents and the implementation of procedures and actions designed to prevent additional security events in the future. We also conduct regular cybersecurity training for employees to ensure they are aware of potential cybersecurity threats and understand the role they play in maintaining our defenses. We also monitor evolving regulations and standards to review industry best practices and legal and regulatory obligations. Governance Board Oversight of Cybersecurity. Our Audit Committee , acting pursuant to authority delegated by our full Board of Directors, actively oversees our cybersecurity strategy and risks from cybersecurity threats, as well as our broader enterprise risk management framework. Our cybersecurity team meets biweekly to assess and manage material risks from cybersecurity threats and vulnerabilities, which includes reviewing our risk profile and developing mitigation strategies with respect to those risks. We utilize vulnerability management software, which helps us identify risks within our environment. Our Audit Committee meets quarterly to review cyber security compliance initiatives as they are escalated from our cybersecurity team through management and reviews the enterprise risk matrix prepared by management on an annual basis. Our Information Security Manager has over 15 years of cybersecurity experience in information security and holds CISSP, CRISC, and Security+ certifications and has a MS in Information Assurance. Our Enterprise Risk Committee is briefed quarterly on cybersecurity threats and mitigation strategies by security. Updates include incident trends, compliance status, and responses to emerging threats. Additionally, real-time alerts ensure immediate awareness of critical cybersecurity events. Board’s Oversight Role. Our Audit Committee reviews and assesses our risk management program and cybersecurity activities and strategy to help align with our business objectives and compliance with legal and regulatory standards. These updates include reviews of new or evolving cybersecurity threats, our cybersecurity measures, the results of recent third-party security audits, and assessments and oversight of any recent cybersecurity events with certain characteristics that may have occurred. This oversight role includes evaluating the effectiveness of policies and procedures designed to protect our assets and sensitive customer information from cyber threats. The Chair of our Audit Committee regularly reports on our Audit Committee’s oversight activities related to enterprise risk management and cybersecurity to our full Board of Directors. The Information Security Coordinator promptly notifies the Chair of our Audit Committee of any significant security events reviewed by the SIRT, the SIRT’s determination of whether a security event is reportable on Form 8-K pursuant to the SEC Cyber Rule and the factors underlying that determination. If the SIRT determines that a cybersecurity incident is likely material and therefore reportable on Form 8-K, a draft of the Form 8-K will be provided to our Audit Committee for review and comment prior to us filing the Form 8-K within the deadline specified by the SEC’s cybersecurity disclosure rules. Our Audit Committee’s active engagement with and oversight of our cybersecurity program helps foster a culture of security awareness throughout our company.
Company Information
Name | EVgo Inc. |
CIK | 0001821159 |
SIC Description | Services-Automotive Repair, Services & Parking |
Ticker | EVGO - NasdaqEVGOW - Nasdaq |
Website | |
Category | Emerging growth company |
Fiscal Year End | December 30 |