SPRUCE POWER HOLDING CORP - (SPRU)

10-K Filing Date: April 08, 2024
Item 1C. Cybersecurity - Risk Management, Strategy and Governance

Cybersecurity Strategy, Policy and Procedures

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined within Item 106(a) of Regulation S-K. These risks include, among other things, operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. We utilize information technology (“IT”) that enables our teams to access both operational and financial performance data in real time, while at the same time, identifying and preventing cybersecurity threats and risks.

Risk Management and Strategy

Risk Management

Our cybersecurity risk management program is integrated into our overall enterprise risk management (“ERM”) framework, and shares common methodologies, reporting channels, and governance processes that apply across the ERM framework to other areas, including legal, compliance, strategic, operational, and financial risk. We assess and identify cybersecurity risk to the organization by:

24

Table of Contents
Employing a cybersecurity policy that sets forth a protocol for assessing, testing, identifying and preventing security risks;

Conducting assessments of risk likelihood and magnitude from unauthorized access, use, disclosure, disruption, modification or destruction of IT systems and the related information processes, stored, or transmitted;

Training personnel on security risks and how to identify and prevent such risks;

Performing risk analysis and security assessments that document the results of the assessment for use and review;

Overseeing and identifying any risk from cyber threats associated with any third-party service provider.

Ensuring security controls are assessed for effectiveness, are implemented correctly, operating as intended; and

Continuously scanning for vulnerabilities and remedying all vulnerabilities in accordance with the associated risk.

Cybersecurity is among the risks identified for Board-level oversight, with the Audit Committee of our Board of Directors responsible for overseeing our policies, practices, and assessments with respect to cybersecurity. Our Audit Committee and Board of Directors receive regular updates throughout the year on cybersecurity from our Finance, Risk and Sustainability (the “FRS”) Committee, which is tasked with risk management, data protection, and monitoring compliance with our cybersecurity policy. The FRS Committee is comprised of our Chief Financial Officer, Chief Legal Officer, Chief Operating Officer, Senior Vice President of IT, and VP of Corporate Development. Each of our Board of Directors and Audit Committee member separately receives an annual report on cybersecurity matters and related risk exposures, and when the report is covered during an Audit Committee meeting, the chair of the Audit Committee reports on its related matters to our Board of Directors. Our Audit Committee also receives regular updates on our cybersecurity posture throughout the year, as appropriate.

Monitoring 

In accordance with our cybersecurity policy, we have established a continuous monitoring strategy and program which includes:

Defined security metrics to be monitored;

Performance of security control assessments on an ongoing basis;

Engaging third party security consultants to, among other things, conduct a review of our cybersecurity program which is overseen by the FRS Committee for identifying any cybersecurity threats;

Addressing results of analysis and reporting security status to the executive team;

Monitoring information systems to detect attacks and indicators of potential attacks; and

Identification of unauthorized use of information system resources.

Data Protection

We have also implemented procedures set forth in our cybersecurity policy that secure sensitive data protected by us, which include:

Establishing policies governing data security;

Monitoring data access throughout the organization;

Providing annual security training and awareness;

Protecting sensitive data through encryption techniques; and

Designing and implementing systems to include backup and recoverability principles, such as periodic data backups and safeguards in the case of a disaster.

25

Table of Contents
Incident Management Plan

Our cybersecurity policy includes an incident management plan (“IMP”), which consists of the following processes:

The development, documentation, review and testing of security procedures and incident management procedures, which are continually re-assessed, updated and tested;

The FRS Committee reviews any identified matters by assessment, verification and classification of incidents to determine affected stakeholders and appropriate parties for contact;

The FRS Committee notifies the Board of Directors and the Audit Committee to validate that the response is being addressed appropriately;

The FRS Committee consults with outside experts, if determined that the incident rises to a significant level;

The FRS Committee initiates containment by making tactical changes to the computing environment to mitigate active threats based on currently known information;

The FRS Committee establishes the root cause of incidents, identification and evidence collection from all affected machines and logs sources, threat intelligence and other information sources;

IT personnel recovers and restores normal business functionality, which includes the reversal of any damage caused by the incident and responding as needed; and

The FRS Committee reviews the closure of each incident and conducts a “lessons learned” analysis to improve prevention and ensure the IMP and cybersecurity plans are more efficient and effective.

We face several cybersecurity risks in connection with just conducting business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks.

Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For more information about the cybersecurity risks we face, see the risk factor entitled “Any security breach, unauthorized access or disclosure, or theft of data, including personal information, we, our third party service providers, or our suppliers gather, store, transmit or use, could harm our reputation, subject us to claims, litigation, and financial harm and have an adverse impact on our business” within Item 1A. Risk Factors.