RISK AND INFORMATION
SECURITY COMMITTEE CHARTER
Copyright/permission
to reproduce
Materials
in this document were produced or compiled by The Governance Box
(GBX) for the purpose of providing Public Companies with governance
information and outlining their corporate and public market
obligations to shareholders in accordance with the applicable laws
and policies of the Securities and Exchange Commission and relevant
stock market exchanges of the United States of
America.
The
materials in this manual are covered by the provisions of the
Copyright Act, by other US laws, policies, regulations, and by
international agreements. Such provisions serve to identify the
information source and, in specific
instances, to prohibit reproduction of materials without written
permission.
Adopted by Electrameccanica Vehicles Corp. Board of Directors on
this ____ day of December 2017.
ELECTRAMECCANICA VEHICLES CORP.
Risk and Information Security Committee Charter
PURPOSE:
The
Risk and Information Security Committee (the
“Committee”) assists the Board of Directors of
Electrameccanica Vehicles Corp. (“Company”) in
fulfilling its oversight responsibilities by overseeing and
reviewing (i) the Company’s internal controls to protect the
Company’s information and proprietary assets, and (ii) the
Company’s risk governance structure, including the Enterprise
Risk Management framework, risk policies and risk tolerances. The
Committee will work closely with the Audit Committee to ensure
related matters are addressed in the appropriate
committee
In
meeting its responsibilities, the Committee is expected
to:
1.
Set the tone for
enhancing the Company’s capabilities on matters relating to
information security and enterprise risk management,
generally;
2.
Provide oversight
and ensure alignment between the Company’s information
security and risk management strategies and Company
objectives;
3.
Serve as an
independent and objective party to review the Company’s
information security framework and risk management
system;
4.
Review and appraise
the Company’s risk governance structure, including the
Enterprise Risk Management framework, key risk policies and
critical risk tolerances adopted by the Company.
The
Committee fulfills these responsibilities by carrying out the
activities enumerated under the heading Roles and
Responsibilities” in this Charter. In carrying out its
responsibilities, the Committee has the authority (i) to
investigate any matter brought to its attention with full access to
all books, records, facilities, and personnel of the Company and
(ii) to retain independent consultants to advise the Committee, at
Company expense, as it deems necessary. The Company shall provide
for appropriate funding, as determined by the Committee, for the
payment of compensation to consultants or advisors employed by the
Committee and ordinary administrative expenses of the Committee
that are necessary or appropriate in carrying out its
duties.
SCOPE:
This
Charter covers all Electrameccanica Vehicles Corp. and its
subsidiaries (“BioCorRx”) in the U.S. and
abroad.
POLICY:
Membership
The
Committee shall be appointed by the Board of Directors. Committee
membership shall be comprised of individual members with
professional experience or backgrounds presenting relevant
experience or capacity address those matters within the scope of
the Committee’s responsibility.
Desirable
attributes for Committee members may in one or more of the
following:
(i)
familiarity, or the
ability to quickly gain familiarity, with major technology
platforms employed by the Company,
(ii)
knowledge of
technological ecosystems and challenges confronted in current or
emerging business environments,
(iii)
capacity to
understand new or emerging technologies and cyber security threats,
and
(iv)
experience relating
to enterprise risk management principles and process.
Meetings
The
Committee shall meet as circumstances require. The Committee may
require any officer or employee of the Company or its subsidiaries
or others to attend its meetings or to meet with any members of, or
consultants to, the Committee and to provide pertinent information
as necessary. The Committee shall meet regularly in executive
sessions to discuss any matters that the Committee believes should
be discussed privately and shall include members of management or
others in such discussions to the extent appropriate. Minutes will
be kept for each Committee meeting.
ROLES & RESPONSIBILITIES:
While
the Committee has the responsibilities and powers set forth in this
Charter, the Company’s management is responsible for ensuring
that a reasonable information security system is in place, and that
the Company is reasonably defended against cyber security threats.
Similarly, the Company’s management is responsible for
managing its risk function and for reporting on its processes and
assessments with respect to the Company’s management of risk.
The Committee is responsible for overseeing the conduct of these
activities.
The
Committee may rely, without independent verification, on the
information provided to it and on the representations made by
management. The Committee may also rely on periodic reports from
management about the Company’s information security or risk
management frameworks. The Company’s Chief Risk Officer and
Chief Information Officer shall report directly to the
Committee.
Specific
responsibilities and duties for the Committee include the
following:
1.
Review with the
Company’s Chief Information Officer and with management
Company policies pertaining to information security and cyber
threats, considering the potential for external threats, internal
threats, and threats arising from transactions with trusted third
parties and vendors.
2.
Review with the
Company’s Chief Information Officer the Company’s
framework to prevent, detect, and respond to cyber attacks or
breaches, as well as identifying areas or concern regarding
possible vulnerabilities and best practices to secure points of
vulnerability.
3.
Review with the
Company’s Chief Information Officer Company policies and
frameworks relating to access controls, critical incident response
plans, business continuity and disaster recovery, physical and
remote system access, and perimeter protection of IT
assets.
4.
Review with
management programs to educate Company employees about relevant
information security issues and Company policies with respect to
information security generally.
5.
Receive reports
regarding the results of reviews and assessments from the
Company’s Chief Information Officer, or other internal
departments as necessary to fulfill the Committee’s duties
and responsibilities.
6.
Review and approve
the Company’s risk governance structure, including the
Enterprise Risk Management framework, key risk policies and
critical risk tolerances adopted by the Company.
7.
Discuss with
management and the Chief Risk Officer the Company’s major
risk exposures and review the steps management has taken to monitor
and control such exposures, including the Company’s risk
assessment and risk management policies
8.
Receive, as and
when appropriate, reports and recommendations from management and
the Company’s Chief Risk Officer on the Company’s risk
tolerance.
9.
Review and approve
the Company’s internal audit work plan to ensure alignment
with identified risks and risk governance needs.
10.
Receive reports, as
and when appropriate, regarding the results of risk management
reviews and assessments from the Company’s Chief Risk
Officer, the head of Internal Audit, or other internal departments
as necessary to fulfill the Committee’s duties and
responsibilities.
11.
Review the
performance of the Company’s Chief Information Officer and
Chief Risk Officer.
12.
Report regularly to
the full Board of Directors and review with the full Board of
Directors any material issues that have arisen with respect to the
matters outlined herein.
13.
Make such
recommendations with respect to any of the above and other matters
as the Committee deems necessary or appropriate.
14.
Review and reassess
the adequacy of the Committee’s Charter annually and
recommend to the Board of Directors any changes deemed appropriate
by the Committee. The Chairman of the Committee may represent the
entire Committee for purposes of this review.
15.
Perform any other
activities consistent with this Charter, the Company’s
By-laws, and governing law, as the Committee or the Board of
Directors deems necessary or appropriate.
REPORTS:
The
Risk and Information Security Committee will record its summaries
of recommendations to the Board in written form, which will be
incorporated as a part of the minutes of the meeting of the Board
at which those recommendations are presented.
MINUTES:
The
Risk and Information Security Committee will maintain written
minutes of its meetings, which minutes will be filed with the
minutes of the meetings of the Board.