RISK AND INFORMATION SECURITY COMMITTEE CHARTER
![](https://capedge.com/proxy/20-F/0001654954-18-004101/infosecuritycomcharter000.jpg)
Copyright/permission to reproduce
Materials in this document were produced or compiled by The Governance Box (GBX) for the purpose of providing Public Companies with governance information and outlining their corporate and public market obligations to shareholders in accordance with the applicable laws and policies of the Securities and Exchange Commission and relevant stock market exchanges of the United States of America.
The materials in this manual are covered by the provisions of the Copyright Act, by other US laws, policies, regulations, and by international agreements. Such provisions serve to identify the information source and, in specific instances, to prohibit reproduction of materials without written permission.
Adopted by Electrameccanica Vehicles Corp. Board of Directors on this ____ day of December 2017.
ELECTRAMECCANICA VEHICLES CORP.
Risk and Information Security Committee Charter
PURPOSE:
The Risk and Information Security Committee (the “Committee”) assists the Board of Directors of Electrameccanica Vehicles Corp. (“Company”) in fulfilling its oversight responsibilities by overseeing and reviewing (i) the Company’s internal controls to protect the Company’s information and proprietary assets, and (ii) the Company’s risk governance structure, including the Enterprise Risk Management framework, risk policies and risk tolerances. The Committee will work closely with the Audit Committee to ensure related matters are addressed in the appropriate committee
In meeting its responsibilities, the Committee is expected to:
1.
Set the tone for enhancing the Company’s capabilities on matters relating to information security and enterprise risk management, generally;
2.
Provide oversight and ensure alignment between the Company’s information security and risk management strategies and Company objectives;
3.
Serve as an independent and objective party to review the Company’s information security framework and risk management system;
4.
Review and appraise the Company’s risk governance structure, including the Enterprise Risk Management framework, key risk policies and critical risk tolerances adopted by the Company.
The Committee fulfills these responsibilities by carrying out the activities enumerated under the heading Roles and Responsibilities” in this Charter. In carrying out its responsibilities, the Committee has the authority (i) to investigate any matter brought to its attention with full access to all books, records, facilities, and personnel of the Company and (ii) to retain independent consultants to advise the Committee, at Company expense, as it deems necessary. The Company shall provide for appropriate funding, as determined by the Committee, for the payment of compensation to consultants or advisors employed by the Committee and ordinary administrative expenses of the Committee that are necessary or appropriate in carrying out its duties.
SCOPE:
This Charter covers all Electrameccanica Vehicles Corp. and its subsidiaries (“BioCorRx”) in the U.S. and abroad.
POLICY:
Membership
The Committee shall be appointed by the Board of Directors. Committee membership shall be comprised of individual members with professional experience or backgrounds presenting relevant experience or capacity address those matters within the scope of the Committee’s responsibility.
Desirable attributes for Committee members may in one or more of the following:
(i)
familiarity, or the ability to quickly gain familiarity, with major technology platforms employed by the Company,
(ii)
knowledge of technological ecosystems and challenges confronted in current or emerging business environments,
(iii)
capacity to understand new or emerging technologies and cyber security threats, and
(iv)
experience relating to enterprise risk management principles and process.
Meetings
The Committee shall meet as circumstances require. The Committee may require any officer or employee of the Company or its subsidiaries or others to attend its meetings or to meet with any members of, or consultants to, the Committee and to provide pertinent information as necessary. The Committee shall meet regularly in executive sessions to discuss any matters that the Committee believes should be discussed privately and shall include members of management or others in such discussions to the extent appropriate. Minutes will be kept for each Committee meeting.
ROLES & RESPONSIBILITIES:
While the Committee has the responsibilities and powers set forth in this Charter, the Company’s management is responsible for ensuring that a reasonable information security system is in place, and that the Company is reasonably defended against cyber security threats. Similarly, the Company’s management is responsible for managing its risk function and for reporting on its processes and assessments with respect to the Company’s management of risk. The Committee is responsible for overseeing the conduct of these activities.
The Committee may rely, without independent verification, on the information provided to it and on the representations made by management. The Committee may also rely on periodic reports from management about the Company’s information security or risk management frameworks. The Company’s Chief Risk Officer and Chief Information Officer shall report directly to the Committee.
Specific responsibilities and duties for the Committee include the following:
1.
Review with the Company’s Chief Information Officer and with management Company policies pertaining to information security and cyber threats, considering the potential for external threats, internal threats, and threats arising from transactions with trusted third parties and vendors.
2.
Review with the Company’s Chief Information Officer the Company’s framework to prevent, detect, and respond to cyber attacks or breaches, as well as identifying areas or concern regarding possible vulnerabilities and best practices to secure points of vulnerability.
3.
Review with the Company’s Chief Information Officer Company policies and frameworks relating to access controls, critical incident response plans, business continuity and disaster recovery, physical and remote system access, and perimeter protection of IT assets.
4.
Review with management programs to educate Company employees about relevant information security issues and Company policies with respect to information security generally.
5.
Receive reports regarding the results of reviews and assessments from the Company’s Chief Information Officer, or other internal departments as necessary to fulfill the Committee’s duties and responsibilities.
6.
Review and approve the Company’s risk governance structure, including the Enterprise Risk Management framework, key risk policies and critical risk tolerances adopted by the Company.
7.
Discuss with management and the Chief Risk Officer the Company’s major risk exposures and review the steps management has taken to monitor and control such exposures, including the Company’s risk assessment and risk management policies
8.
Receive, as and when appropriate, reports and recommendations from management and the Company’s Chief Risk Officer on the Company’s risk tolerance.
9.
Review and approve the Company’s internal audit work plan to ensure alignment with identified risks and risk governance needs.
10.
Receive reports, as and when appropriate, regarding the results of risk management reviews and assessments from the Company’s Chief Risk Officer, the head of Internal Audit, or other internal departments as necessary to fulfill the Committee’s duties and responsibilities.
11.
Review the performance of the Company’s Chief Information Officer and Chief Risk Officer.
12.
Report regularly to the full Board of Directors and review with the full Board of Directors any material issues that have arisen with respect to the matters outlined herein.
13.
Make such recommendations with respect to any of the above and other matters as the Committee deems necessary or appropriate.
14.
Review and reassess the adequacy of the Committee’s Charter annually and recommend to the Board of Directors any changes deemed appropriate by the Committee. The Chairman of the Committee may represent the entire Committee for purposes of this review.
15.
Perform any other activities consistent with this Charter, the Company’s By-laws, and governing law, as the Committee or the Board of Directors deems necessary or appropriate.
REPORTS:
The Risk and Information Security Committee will record its summaries of recommendations to the Board in written form, which will be incorporated as a part of the minutes of the meeting of the Board at which those recommendations are presented.
MINUTES:
The Risk and Information Security Committee will maintain written minutes of its meetings, which minutes will be filed with the minutes of the meetings of the Board.