FIRST SOLAR, INC. - (FSLR)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

First Solar maintains a cyber risk management program designed to identify, assess, and manage cybersecurity risks. The underlying controls of the cyber risk management program incorporate recognized best practices and standards for cybersecurity, including guidance from the National Institute of Standards and Technology (“NIST”) cybersecurity framework. Our cyber risk management program includes various risk assessments that are completed on a regular basis, including (i) information security controls assessments with internal and external audit partners, (ii) architectural and technical assessments with third-party experts, (iii) internal and external penetration testing with third-party service providers, (iv) continuous cyber risk register reviews, and (v) risk prioritization with our executive officers. The identification of cybersecurity risks is aided by a technical toolset as well as threat hunting and counterintelligence services provided by third-party service providers. These risk assessments and the technical toolset inform our information security roadmap, which allocates resources toward strategic initiatives to mitigate, transfer, and/or reduce cybersecurity risks. Our associates engage in annual cybersecurity training and periodic phishing simulation exercises with targeted training. Additionally, confidential information protection training is regularly provided to associates who have access to personally identifiable information, reside in certain jurisdictions, or have privileged access.

Third-party risk management at First Solar includes screening processes to evaluate the information security programs and capabilities of our vendors, including periodic reviews of vendor control assessments, such as System and Organization Controls (“SOC”) 2 Type 2 reports, which are supplemented by end-user controls performed by First Solar associates. These processes enable us to oversee and identify potentially material risks from cybersecurity threats associated with our use of third-party service providers.

The Head of Information Security oversees the Information Security team, which assesses and manages cybersecurity risks at First Solar as part of our information security program. The Head of Information Security and our Information Security team members collectively hold certifications in cyber-risk oversight from the National Association of Corporate Directors, Certified Systems Security Officer and Certified Information Systems Manager credentials, and Certified Information Systems Security Professional and Systems Security Certified Practitioner credentials. The Head of Information Security, who has over 20 years of information technology experience, including over 10 years in leadership roles at First Solar, reports to the Chief Information Officer and regularly briefs the Chief Financial Officer and the audit committee of the board of directors on cybersecurity matters. The cybersecurity risks identified as part of our information security program are integrated into our enterprise risk management program. The audit committee reviews the integration of our cybersecurity controls and procedures with our overall risk management systems and processes, and reviews and discusses with management First Solar’s major information security risks (including cybersecurity) and the steps management has taken to monitor, control, and limit such exposures and risks. An Information Security Steering Committee, which is comprised of senior management from various departments, serves in an advisory capacity regarding the implementation, support, and management of the information security program and compliance with applicable state and federal laws and regulations. This committee aligns business initiatives, material digital risks, risk tolerance levels, and security requirements with the information security roadmap.

The Information Security team actively manages cybersecurity threats and incidents through comprehensive technical tooling, reporting, partnerships, and processes. Intrusion prevention, detection, and response systems, access management systems, and incident and vulnerability management systems are all examples of technical tools employed by First Solar’s Information Security team to protect our information technology environment. Our incident response plan includes specific criteria for determining the potential impact of an identified cybersecurity incident and defined escalation protocols to determine which internal and external stakeholders should be involved and the appropriate communication channels, including considerations of any reporting based on regulatory requirements. Cybersecurity incidents are evaluated on a case-by-case basis and are categorized as low, moderate, or high impact incidents depending on qualitative and quantitative factors, including, but not limited to, their operational impact, degree of compromise, legal or regulatory impacts, and data disclosure impacts. The audit committee of the board of directors is notified if a potentially material incident is identified and reviews our
43

response to material cybersecurity incidents, including disclosure considerations and the engagement of forensic and other technology experts to ascertain the extent of the incident, remediation actions, and responsive measures to prevent or mitigate future incidents.

As a result of ongoing monitoring, we have not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, financial condition, or results of operations. Notwithstanding the cybersecurity processes and procedures described above, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, financial condition, or results of operations. While we maintain cybersecurity insurance, the costs related to cybersecurity incidents, including information and security breaches, or other disruptions may not be fully insured. For further information regarding the risks to us associated with cybersecurity incidents and other events, including information and security breaches, and how such risks may affect the Company, see the Risk Factor entitled, “Cybersecurity incidents or information or security breaches, or those of third parties with which we do business, could have a material adverse effect on our business, financial condition, and results of operations.”