XML 77 R41.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management

We face a number of cybersecurity risks in connection with our business and recognize the growing threat within the general marketplace and our industry. In the ordinary course of our business, we use, store, and process data, including data of our employees, partners, collaborators, and vendors. Cybersecurity threats and incidents include attempts to gain unauthorized access to our systems and networks, or our partners, collaborators, vendors, or other third parties with whom we do business, to disrupt operations, corrupt data or steal confidential or personal information and other cybersecurity breaches. We consider cybersecurity risk a serious threat to our business. To help the Company identify, assess, and mitigate risks to this data and our systems, we have implemented a cybersecurity risk management program that is informed by recognized industry standards and frameworks and incorporates elements of the same.

Our cybersecurity risk management program includes a number of components, including information security program assessments and continuous monitoring of critical risks from cybersecurity threats using automated tools. We periodically engage third parties to conduct risk assessments on our systems, including penetration testing and other vulnerability analyses. In 2024, Plug continued to fortify its comprehensive cybersecurity and risk controls. We maintain an insider threat program designed to identify, assess, and address potential risks from within our Company and evaluate potential risks consistent with industry practices, customer requirements, and applicable law, including privacy and other considerations. We mandated an annual cybersecurity awareness training module, enhanced our Information Technology Infrastructure Library (ITIL) based discipline of change and incident management, and overhauled our monthly patching/vulnerability management rigor. Additionally, Plug continued leveraging top-tier third party support for external and perimeter examination: completing exhaustive Penetration Testing and Vulnerability Scans (performed by OrbitalFire), establishing a robust Network Operations Center (NOC), and leveraging industry-leading endpoint monitoring and detection services (CrowdStrike). Additionally, we have implemented an employee education program whereby employees are able to attend cybersecurity awareness training during the onboarding process.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

Our cybersecurity risk management program includes a number of components, including information security program assessments and continuous monitoring of critical risks from cybersecurity threats using automated tools. We periodically engage third parties to conduct risk assessments on our systems, including penetration testing and other vulnerability analyses. In 2024, Plug continued to fortify its comprehensive cybersecurity and risk controls. We maintain an insider threat program designed to identify, assess, and address potential risks from within our Company and evaluate potential risks consistent with industry practices, customer requirements, and applicable law, including privacy and other considerations. We mandated an annual cybersecurity awareness training module, enhanced our Information Technology Infrastructure Library (ITIL) based discipline of change and incident management, and overhauled our monthly patching/vulnerability management rigor. Additionally, Plug continued leveraging top-tier third party support for external and perimeter examination: completing exhaustive Penetration Testing and Vulnerability Scans (performed by OrbitalFire), establishing a robust Network Operations Center (NOC), and leveraging industry-leading endpoint monitoring and detection services (CrowdStrike). Additionally, we have implemented an employee education program whereby employees are able to attend cybersecurity awareness training during the onboarding process.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Our governance framework includes oversight by the Audit Committee of the Board of Directors. The Audit Committee meets quarterly with the CFO regarding the cybersecurity risk management program, including as relates to critical cybersecurity risks and cybersecurity initiatives and strategies. Additionally, on an annual basis, the VP of IT reports the current state of cybersecurity risk management to the full Board of Directors. The Board of Directors, as a whole and through its committees, has responsibility for the oversight of risk management.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Audit Committee of the Board of Directors
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee meets quarterly with the CFO regarding the cybersecurity risk management program, including as relates to critical cybersecurity risks and cybersecurity initiatives and strategies. Additionally, on an annual basis, the VP of IT reports the current state of cybersecurity risk management to the full Board of Directors.
Cybersecurity Risk Role of Management [Text Block]

The Vice President of Information Technology (“VP of IT”) oversees the daily operations of our cybersecurity risk management program and plays a central role in assessing and managing critical risks from cybersecurity threats with the support of additional IT professionals. The VP of IT role is currently held by an individual who has approximately twenty years of experience in information security management, application portfolio management, and IT governance, risk, and compliance. The VP of IT periodically reports on the cybersecurity program to the Chief Financial Officer (“CFO”).
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Vice President of Information Technology
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The VP of IT role is currently held by an individual who has approximately twenty years of experience in information security management, application portfolio management, and IT governance, risk, and compliance.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The VP of IT periodically reports on the cybersecurity program to the Chief Financial Officer (“CFO”).
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true