Heliogen, Inc. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

Heliogen, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 16:12:49 EDT.

Filings

10-K filed on 2025-03-27

Heliogen, Inc. filed a 10-K at 2025-03-27 16:12:49 EDT
Accession Number: 0001840292-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have implemented and maintain various information security processes and technologies designed to identify, assess and manage material risks from cybersecurity threats to our computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”). Our Chief Information Security Officer (“CISO”) and the information security team, in conjunction with our legal team and third-party service providers, help identify, assess and manage Heliogen’s cybersecurity threats and risks. Our CISO and the information security team identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods from time to time, including, for example: conducting vulnerability assessments to identify vulnerabilities; conducting scans of corporate devices and network infrastructure; analyzing reports of potential, known and identified threats and actors; using automated and manual tools to monitor for, identify, or evaluate threats and risks; conducting audits and threat assessments; subscribing to reports and services that help identify cybersecurity threats; using third-party threat assessments and external intelligence feeds; and evaluating our Company’s and our industry’s risk profile. We implement and maintain technical, physical, and organizational measures, processes, and/or policies, depending on the environment, designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: dedicated cybersecurity staff; an incident response plan and policy; a vulnerability management policy; risk assessment process; processes and policies to address access to systems and networks; physical security protocols; processes for asset management; encryption of certain company data, systems, and networks; penetration testing; and employee training. We also maintain cybersecurity insurance. Our assessment and management of risks from cybersecurity threats are integrated into our overall risk management processes. For example, cybersecurity risk is identified and addressed as a component of the Company’s general risk management strategy. We have also established a cybersecurity committee consisting of our CISO, information security team, and other senior leaders to oversee our cybersecurity risk management process and strategies to mitigate cybersecurity threats, including through trainings, incident tabletop exercises and system testing. We use third-party service providers to assist us from time to time to identify, assess, and manage risks from cybersecurity threats, including professional services firms, cybersecurity consultants, managed cybersecurity service providers and penetration testing firms. We recognize that cybersecurity risks extend to third-party service providers that access or manage our Information Systems and Data. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our third-party risk management program may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider, including due diligence reviews, contractual security requirements, ongoing monitoring, and audits designed to evaluate vendors’ security controls against our security standards. Additionally, we conduct third-party penetration testing and security reviews on critical service providers. For a description of the risks from cybersecurity threats that may materially affect Heliogen and how they may do so, see our risk factors under “Item 1A. Risk Factors” contained in Part I of this Annual Report, including “If our information technology systems or those of third parties upon which we rely, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.” Governance Our Board addresses Heliogen’s cybersecurity risk management as part of its general oversight function. The Boards’ Audit Committee is responsible for overseeing Heliogen’s cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are overseen by Heliogen leadership, including our CISO , who has over 30 years of experience in military and enterprise security, regulatory compliance and risk management. Our CISO is responsible for establishing and maintaining our information security framework, integrating cybersecurity risk considerations into our enterprise risk management strategy, and regulatory compliance. Our CISO collaborates with executive management and the Board to assess, communicate, and mitigate cybersecurity risks. Responsibilities include overseeing security policies, incident preparedness, and threat monitoring. Our incident response plan is designed to escalate certain cybersecurity incidents to members of management, including executive management and the Board, as necessary. Certain significant incidents are escalated to executive leadership and the Board’s Audit Committees. The Audit Committee receives periodic reports from the CISO and information security team on significant cybersecurity threats, risk mitigation strategies and company-wide security initiatives. The Audit Committee is briefed quarterly on cybersecurity risks, controls and incident response activities. In addition, the Board periodically consults with external cybersecurity advisors for updates regarding evolving cybersecurity threats and best practices, and we conduct annual cybersecurity awareness training for executives and Board members to enhance their understanding of cybersecurity risks and related regulatory obligations.

Company Information