LITHIUM AMERICAS CORP. 10-K Cybersecurity GRC - 2025-03-28

Page last updated on March 28, 2025

LITHIUM AMERICAS CORP. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-28 12:00:36 EDT.

Filings

10-K filed on 2025-03-28

LITHIUM AMERICAS CORP. filed a 10-K at 2025-03-28 12:00:36 EDT
Accession Number: 0000950170-25-046424

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybe rsecurity Cybersecurity Risk Management and Strategy The Company operates in an increasingly interconnected digital environment and recognizes the critical need to assess, identify and manage material risks associated with cybersecurity threats. As part of the Company’s business operations, it may collect and store sensitive information, including proprietary and confidential business data, intellectual property, third-party information, employee details and other personal information. To manage this information, as well as key business processes such as inventory management, payment processing, cash collection, human capital management, financial operations and other essential procedures, the Company relies on both its internal information systems and third-party systems. The effective management of the Company’s business depends on the reliability, security and capacity of these systems. To mitigate these risks, the Company has developed and implemented a cybersecurity risk management program (" Cybersecurity Program “) intended to protect the confidentiality, integrity and availability of the Company’s critical systems and information, based on the Center for Internet Security (” CIS “) Critical Security Controls (” CSC “) v8.0 and the CIS Risk Assessment Method v2.1. The Company uses the CIS CSC v8.0 as a guide to help identify, assess, and manage cybersecurity risks relevant to its business. The Cybersecurity Program is aligned to the Company’s business strategy and shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk, including legal, compliance, strategic, operational and financial risk. Key elements of the Company’s cybersecurity risk management program include: 38 - annual risk assessments designed to help identify material cybersecurity risks to the Company’s critical systems, information, products, services and broader enterprise IT environment; - designation of resources responsible for managing the Company’s cybersecurity risk assessment processes, security controls, and response to cybersecurity incidents; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of security controls; - monthly training and awareness programs for team members that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls; and - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents. Since the Separation, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect its business strategy, results of operations or financial condition. However, the Company recognizes that cybersecurity threats are constantly evolving, and the potential for future cybersecurity incidents persists. The Company’s IT Security Department is dedicated to monitoring and assessing these risks to ensure the security and continuity of operations. Despite the implementation of robust cybersecurity programs, no security measures can entirely eliminate the risk of a significant cyberattack. A successful breach of the Company’s IT systems could have substantial consequences for its business. While the Company allocates considerable resources to safeguard its systems and information, these efforts cannot guarantee complete protection. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, refer to Part I - Item 1A: Risks Related to the Company’s Business and Securities - Increased reliance on digital technologies and new information systems to support the growing business could increase costs and cybersecurity related threats . Cybersecurity Governance The Company’s Audit and Risk (” A&R “) Committee of the Board has specific responsibility for overseeing cybersecurity threats, among other things. The Company’s Chief Financial Officer (” CFO “) provides the A&R Committee periodic reports on the Company’s cybersecurity risks and any material cybersecurity incidents, and the Board also receives quarterly cybersecurity reports . The Company’s Senior Technology Specialist, who has over 25 years of IT work experience across a range of sectors, has primary responsibility for overall cybersecurity risk management program and supervises both internal IT personnel and retained external cybersecurity consultants. The Senior Technology Specialist reports to the Company’s Senior Vice President, Finance and Administration (who reports to the CFO). The IT department also monitors the prevention, detection, mitigation and remediation of cybersecurity risks and incidents through various means, which may include threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged, and alerts and reports produced by security tools deployed in the IT environment.

Company Information