Altus Power, Inc. - (AMPS)
10-K Filing Date: March 14, 2024
Item 1C. Cybersecurity
Our process for assessing, identifying, and managing material risks from cybersecurity threats alongside other risks is an integral part of our overall risk management system. This process is achieved by implementing specific controls, continuous monitoring, collaborative response plans, and regular reviews. Integration ensures a comprehensive view of risk and facilitates informed decision-making and a proactive approach to risk management. We employ various cybersecurity frameworks to ensure comprehensive protection of our systems and data, such as the NIST Cybersecurity Framework and elements of the CIS Controls Framework. By aligning with these standards and leveraging industry-specific best practices, we create a cybersecurity strategy to address the challenges of the solar power sector.
Regular assessments are conducted to identify potential cybersecurity risks across our organization, ensuring a comprehensive understanding of our risk exposure. To support our capabilities, we engage assessors, consultants, auditors, and other third parties with specialized expertise in cybersecurity. Their assessments cover various aspects of our infrastructure, including penetration testing, vulnerability assessments, and compliance audits, enabling us to strengthen our defenses against current and emerging threats.
Additionally, we have established processes to oversee and identify cybersecurity risks associated with third-party service providers. Thorough evaluations of their cybersecurity practices are conducted before engagement, ensuring our standards are met. Contractual agreements include requirements that enforce compliance with our security protocols, mitigating risks associated with third-party interactions.
Cybersecurity threats have the potential to disrupt our day-to-day operations, compromise sensitive data, and damage our reputation. While we have not experienced any material cybersecurity incidents to date, we acknowledge the potential impact of such threats on our business strategy, operations, and financial status. Additionally, regulatory fines or legal liabilities resulting from data breaches or non-compliance with cybersecurity standards will have a significant financial impact.
The Board of Directors provides supervision of cybersecurity risks to ensure the security of our company's operations. The Board of Directors receives updates quarterly on cybersecurity threats, vulnerabilities, and incidents from management from the Chief Digital Officer and IT Manager. These updates include information on the prevention, detection, and remediation of cybersecurity incidents, as well as monitoring key performance indicators, such as the effectiveness of security controls and overall cybersecurity posture.
Management plays a critical role in assessing and managing the company's material risks from cybersecurity threats. Cybersecurity efforts are overseen by the Chief Digital Officer, supported by a dedicated team. The Chief Digital Officer has over 20 years of experience in leadership roles in the digital domain at renowned organizations such as Nasdaq and TIAA. Their expertise encompasses a deep understanding of cyber threats, risk management strategies, and regulatory compliance requirements which positions the Chief Digital Officer to lead the company against evolving cyber-related threats.
Notwithstanding our efforts described above, the Company cannot guarantee that it will be successful in identifying and preventing all cybersecurity risks. For a discussion of how the occurrence of such risks may impact Altus’ business, see the section entitled “Risk Factors” above.