FTC Solar, Inc. - (FTCI)
10-K Filing Date: March 15, 2024
Risk management and strategy
We recognize the importance of developing, implementing and maintaining robust cybersecurity measures to safeguard our information technology ("IT") systems and protect the confidentiality, integrity, and availability of our data.
We have integrated cybersecurity risk management into our overall risk management and internal control framework and have established policies and controls that we believe are appropriate in light of the risks of damage to our reputation and financial condition from unauthorized access to our key digital assets and systems.
Many of our key IT systems are provided by third parties with extensive experience and knowledge in addressing cybersecurity risks involving those systems and have their own robust system of controls regarding their software products, which we monitor on a recurring basis through review of independent reports on their systems of internal controls provided to us. Such IT systems include our primary accounting, financial reporting, payroll and employee benefits, document storage, email and video communication and employee expense reporting systems. Our internal intranet and IT asset control systems are also managed on our behalf by a third-party service provider, with whom we participate in regular weekly meetings to discuss cybersecurity-related items such as (i) operating and application system patching, (ii) phishing attempts, (iii) malware, (iv) non-compliant devices, (v) third-party secure scorecard results, and (vi) alerts provided through our Security Operations Center.
We obtain security incident reports from our third-party software and service providers regarding unauthorized attempts to access our systems, when and if they occur, and we work closely with our third-party providers to explore the details of any unauthorized attempts to infiltrate those systems and to assess whether any critical information within those systems was compromised or not. We also evaluate to the extent possible our system of controls in comparison to information obtained from our third-party providers, as well as our independent accountants and other technology consultants, of practices followed by other companies in safeguarding their systems in order to ensure our cybersecurity strategies and processes remain at the forefront of industry best practices.
Many of our employees work remotely or in various locations around the world and are provided with company-owned IT equipment. Software and firmware updates to such equipment are managed and controlled by the Company.
In order to further protect ourselves financially, we maintain insurance coverage of up to $5 million with respect to losses from business interruption, data recovery, cyber-extortion and ransomware, data breach response and crisis management as a result of a cybersecurity incident.
As of the date of the filing of this Annual Report, we have not encountered any cybersecurity incidents that have materially impaired our business strategy, operations or financial standing.
Governance
Board of Directors Oversight
Our Board of Directors is aware of the critical nature of managing risks associated with cybersecurity threats and has established oversight mechanisms to ensure effective governance in managing these risks. The Audit
32
Committee is central to the Board's oversight and has been directed to assume primary responsibility for such oversight by the Board. The Audit Committee is comprised of board members with diverse experience including risk management, technology and finance, which, in the judgment of the Board, equips them with the ability to oversee cybersecurity risks effectively. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance to our management and approval of major initiatives.
Management's Role Managing Risk
We have established a Cybersecurity Governance Committee, which meets monthly or more frequently, if needed, to monitor:
Our Cybersecurity Governance Committee includes our Chief Financial Officer, Chief Operating Officer, General Counsel, Senior Director of IT, Director of IT, Senior Director of Software, Corporate Controller, Director of SEC Reporting and Technical Accounting, and Director of Internal Audit. We believe the members of our Cybersecurity Governance Committee have relevant knowledge and experience in either IT systems, auditing of controls over IT systems, or management and assessment of risk processes and internal control systems to ensure proper management oversight.
Our IT management is responsible for notifying the Cybersecurity Governance Committee of cyber incidents they become aware of from software alerts, third-party vendors, employees or by other means. The Cybersecurity Governance Committee will review such incidents, including activities by IT management to evaluate the severity of the incidents, and will provide details of any cybersecurity events, including those not deemed to have a material impact, to our Internal Controls and Disclosure Committee for reporting to our Audit Committee. In addition, our Chief Financial Officer, Senior Director of IT and Director of Internal Audit maintain an ongoing dialogue with the Audit Committee during the year regarding emerging or potential cybersecurity risks.
The Cybersecurity Governance Committee has the responsibility for determining if a cybersecurity incident is considered to have a material impact on the Company requiring public reporting in accordance with the rules and regulations of the U.S. Securities and Exchange Commission.
Under the guidance of the Cybersecurity Governance Company, we have adopted (i) a Security Incident Response Plan, (ii) a Cybersecurity Materiality Assessment Policy, and (iii) a Cybersecurity Register of Events.
Our IT management, in conjunction with our Director of Internal Audit, has responsibility for monitoring and testing the effectiveness of our cybersecurity controls and procedures on a recurring basis.