Xos, Inc. 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

Xos, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 16:50:08 EDT.

Filings

10-K filed on 2025-03-31

Xos, Inc. filed a 10-K at 2025-03-31 16:50:08 EDT
Accession Number: 0001819493-25-000043

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy 48 We have established policies and processes designed to assess, identify and manage material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes . Through the use of manual and automated tools, analyses of reports of threats and threat actors, evaluations of threats reported to us, and internal and external audits, we routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. Following these risk assessments, we re-design, implement, and maintain reasonable safeguards designed to minimize identified risk s; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our Chief Operating Officer (COO) , who coordinates with our IT and legal departments. As part of our overall risk management system, we monitor and test our safeguards and tra in our employees on these safeguards, in collaboration with our IT department and management. Personnel at various levels and departments are made aware of our cybersecurity policies through routine training sessions and assessments. Additionally, depending on the environment, systems, and data at issue, we implement and maintain various measures designed to manage and mitigate material risks from cybersecurity threats, including encryption of data, network security controls, cybersecurity insurance, and asset management, tracking, and disposal. We also engage third-party service providers to assist us in monitoring and testing our cybersecurity safeguards and compliance, such as cybersecurity software providers, professional services firms and firms that conduct security audits and perform user phishing tests and training. We have not encountered cybersecurity threats, incidents or challenges that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information regarding risks from cybersecurity threats, please refer to Part I Item 1A. Risk Factors in this Report, including “If our IT systems, those of third-parties upon which we rely, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; loss of customers or sales; and other adverse consequences.” Governance One of the key functions of our Board is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board is responsible for monitoring and assessing strategic risk exposure, and our management is responsible for the day-to-day management of the material risks we face. Our Board administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee. Our COO, is primarily responsible for assessing and managing our material risks from cybersecurity threats and confers with our IT department in executing our cybersecurity policies and processes, including our incident response processes. Our COO has nine years of experience in assessing and managing cybersecurity risks for the Company and its predecessor. Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to the COO and other members of management and/or the Board, depending on the circumstances. The Audit Committee and the Board receive periodic briefings regarding our cybersecurity risks and activities, including any recent cybersecurity incidents and related responses , cybersecurity systems testing and activities of third-parties. Our management, including the COO, maintains an active dialogue with the Board and Audit Committee on risk management matters, which includes cybersecurity.

Company Information