Array Technologies, Inc. - (ARRY)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our commercial success depends on developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity and availability of our data.
Managing Material Risks & Integrated Enterprise Risk Management
We are working to strategically integrate cybersecurity risk management into our broader enterprise risk management program to promote a company-wide culture of cybersecurity risk management. Our enterprise risk management project team is working closely with our IT department to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs while building out a framework to monitor those risks and integrate objectives into our broader strategic plan.
Engaging Third Parties on Risk Management
Given the complexity and evolving nature of cybersecurity threats, we have engaged a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating, testing, and improving our risk management systems. These partnerships enable us to leverage specialized knowledge and insights and includes regular audits, threat assessments, and consultation on security enhancements.
Overseeing Third Party Risk
The need to govern third party service providers and vendors poses significant challenges, and as a result we have implemented processes to oversee and manage these risks. Our procedures contemplate conducting security assessments of all third-party providers that are proportional to the risks present, ideally before or soon after engagement, and periodically thereafter, in order to mitigate risks related to data breaches or other security incidents originating from third parties.
Risks from Cybersecurity Threats
We have not encountered cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition, although we cannot rule out that a cyber attack in the future could materially affect our ability to operate.
Governance
Our Board of Directors (the “Board”) is aware of the critical nature of managing risks associated with cybersecurity threats. In recognition of the significance of these threats to our operational integrity and shareholder confidence, the Board has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats.
Board of Directors Oversight
The Nominating and Corporate Governance Committee of the Board bears primary responsibility for oversight of cybersecurity risks. The Nominating and Corporate Governance Committee is briefed on cybersecurity risks at least once each year and any material cybersecurity incidents by the Chief Information Officer (“CIO”) and the Chief Legal Officer (“CLO”), as further described below. The Nominating and Corporate Governance Committee is composed of directors equipped with diverse skills needed to oversee the difference facets of cybersecurity risks effectively, including risk management, public company leadership, innovation and technology, corporate governance and finance.
36
Management’s Role Managing Risk
The CIO and the CLO are responsible for updating the Nominating and Corporate Governance Committee on cybersecurity risks and the Company’s mitigation strategies. They provide quarterly updates to the Nominating and Corporate Governance Committee, as well as comprehensive briefings at least once per year and appropriate briefings during any potentially material cybersecurity incident. These briefings encompass a broad range of topics, including:
•results of internal assessments and audits by third parties;
•the current cybersecurity landscape and emerging threats;
•the status of ongoing cybersecurity initiatives and strategies;
•incident reports and lessons learned from any cybersecurity events; and
•compliance with regulatory requirements and industry standards.
In addition to regular scheduled meetings, the Nominating and Corporate Governance Committee, CIO and Chief Executive Officer (“CEO”) maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive periodic updates on significant developments in the cybersecurity landscape to support proactive and responsive Board oversight. The Nominating and Corporate Governance Committee actively participates in strategic decisions related to cybersecurity, reviewing and offering guidance on major initiatives and any potentially material cybersecurity incident. This involvement ensures that cybersecurity considerations are integrated into the Company’s broader strategic objectives.
Risk Management Personnel
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CIO, Jovan Kangrga. Mr. Kangrga has managed cybersecurity and information security at Array for the past four years and has over 13 years of total experience as an information technology executive for publicly listed companies. Mr. Kangrga holds B.S. degrees in finance and computer science from Arizona State University as well as a M.B.A. from Western International University. He manages a team with over 40 years of combined experience in cybersecurity. Our CIO reports to our CLO, and both our CIO and CLO are responsible for updating the CEO, the Nominating & Corporate Governance Committee, and the Board on cybersecurity issues.
Ongoing Education and Monitoring
The CIO leads our cybersecurity team, which remains current with the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing education is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The CIO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits, including penetration testing, to identify potential vulnerabilities. In the event of a cybersecurity incident, we are equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
Reporting to the Board of Directors
The CIO regularly informs the CLO and CEO of all significant aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential significant risks facing the Company. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Nominating and Corporate Governance Committee of the
37
Board and, in certain cases, the Board itself, ensuring that they have comprehensive oversight and can provide guidance on any potentially material cybersecurity incident.