Ameresco, Inc. - (AMRC)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Information Technology and Cybersecurity Risk Management
As is the case for all large companies, we are regularly subject to cyberattacks and other cyber incidents and, therefore, cybersecurity occupies a pivotal role within our risk management process. We adhere to a risk-based, multi-layered “defense in depth” approach that is dedicated to the identification, protection, detection, response, and recovery from cyber threats and incidents. We understand that a single technology, process, or business control cannot wholly prevent or mitigate all potential risks. Therefore, we employ a multitude of technologies, processes, and controls, each functioning independently but collectively forming a cohesive strategy aimed at minimizing risk. This strategy is evaluated through various means, such as frequent research and industry security briefings among our information technology group, internal and external audits, independent program assessments, control attestation reports, penetration testing, and other exercises that gauge its effectiveness. Threats and incidents connected with third party service providers are considered and managed under this process as well.
We engage external parties, including consultants, independent privacy assessors, computer security firms and risk management and governance experts, to enhance our cybersecurity oversight. For example, we have engaged an outside consulting firm with expertise in the field to help us assess our systems, monitor risk and implement best practices and to support the internal audit of our cyber security programs and we regularly consults with industry groups on emerging industry trends. In addition, as part of our overall risk mitigation strategy, we also maintain cyber insurance coverage. Our cybersecurity policies, standards and procedures include cyber and data breach response plans, which are periodically assessed against the National Institute of Standards and Technology Cybersecurity Framework.
We do not believe that there are currently any risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or financial condition.
Cybersecurity Governance and Oversight
The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk. The Audit Committee receives and provides feedback on periodic updates from management regarding cybersecurity. Agendas for quarterly updates are developed and adjusted throughout the year to adapt to any emerging risks or key topics and include, a wide range of information, including the prevailing cybersecurity threat landscape, investments in infrastructure, trainings programs and opportunities for bolstering the security of our company's systems and the protection of our products and operations. The full Board of Directors receives regular reports from the Audit Committee and our management on our cyber security program and the emerging threat landscape.
We have a Senior Vice President of Information Technology whose team is responsible for leading company-wide cybersecurity strategy, policy, standards and processes and works across relevant units of Ameresco. Our Senior Vice President of Information Technology has more than thirty years of experience in cybersecurity and information technology and based on his long career with Ameresco he has a deep understanding of our information technology and business needs and the cyber security opportunities and risks we face.
In actioning our cyber security strategy, our management together with our Senior Vice President of Information Technology evaluate the materiality of any cybersecurity threats and incidents utilizing both qualitative and quantitative considerations. Our internal audit team also provides independent testing on aspects of the operations of our cybersecurity program and the supporting control framework.
Our cybersecurity program is designed to ensure the confidentiality, integrity, and availability of data and systems as well as to ensure timely identification of and response to any incidents. This design is geared toward supporting our business objectives and the needs of our valued customers, employees, and other stakeholders. We firmly believe that cybersecurity is a collective responsibility that extends to every employee, and we prioritize it as an ongoing objective. To increase our employees' awareness of cyber threats, we provide education and share best practices through a security awareness training program. This includes receiving regular exercises, cyber-event simulations, training programs and an annual attestation to our Technology Acceptable Use Policy.
25
See “A failure of our information technology (“IT”) and data security infrastructure or cyber or other security incidents, vulnerabilities or other deficiencies, could adversely impact our business, reputation or results of operation or could cause us to default under our contractual obligations.” in Item 1A, Risk Factors.