SOLAREDGE TECHNOLOGIES, INC. - (SEDG)
10-K Filing Date: February 26, 2024
ITEM 1C. Cyber security
Cyber security risk is an area of increasing focus for our Board, particularly as an increasingly significant part of our operations rely on digital technologies. As a result, we have implemented a cyber security program to assess, identify, and manage risks from cyber security threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems. This program has been integrated into the Company’s overall risk management process.
Risk Management and Strategy
While we follow IoT cybersecurity standards and regulations, our products and information systems are potentially subject to cyber risks of data leakage and operational damages. To protect our products and information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, annual cyber testing, internal auditing, monitoring and detection tools, and a bug bounty program to allow security researchers to assist us in identifying vulnerabilities in our products before they are exploited by malicious threat actors. Any reported vulnerability is analyzed and reported to the CISO.
As part of our program to mitigate risk from cyber security threats, the Company actively evaluates and refines its cyber security tools and processes with the intention of reducing cyber security risks and aligning with the National Institute of Standards and Technology Cyber-security Framework for risk management. Features of our cybersecurity program include:
◦ | Processes designed to comply with information security standards and privacy regulations, including the European Union's General Data Protection Regulation. |
◦ | Maintenance of an ISO 27001 Information Security Management Standard certification. |
◦ | Implementation of a variety of security controls, such as firewalls, and intrusion detection systems. |
◦ | Protection against Denial-of-Service attacks which prevent legitimate use of our services. |
◦ | Security events monitoring in our security operations center. |
◦ | Development of incident response policies and procedures designed to initiate remediation and compliance activities in a timely manner. |
◦ | Implementation of data loss prevention tools. |
◦ | Implementing an ID management system to enforce granular role-based access controls. |
◦ | Performing penetration testing on cloud and app platform. |
◦ | Administration of a comprehensive cyber security awareness program to educate employees about cyber security risks and best practices. |
◦ | Retention of a third-party, independent cyber security firm to conduct cyber security assessments of our systems and procedures. |
◦ | Employment of a responsible disclosure policy, which includes a Bug Bounty Program designed to help identify and fix any potential flaws in the company’s services or products. |
35
We also employ processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, or customer, or otherwise implicating the third-party technology and systems we use. Such security measures include, without limitation:
◦ | A security solution designed to safeguard customer data and systems. |
◦ | Security assessments of our major vendors. |
◦ | Risk assessments by an insurance company. |
◦ | Implementation of endpoint detection and response (EDR) technology, as well as partial operational technology (OT) security measures on some of our factories, to protect our on-premises systems. |
Governance & Oversight
The Board has delegated primary oversight of the Company's risks from cyber security threats to the Technology Committee. Our management team, including our Chief Information Security Officer (CISO), provides quarterly updates to our Technology Committee and annually to the full Board regarding our cyber security activities and other developments impacting our digital security. We have protocols by which certain cyber security incidents are escalated within the Company and, where appropriate, reported to the Board and Technology Committee in a timely manner.
At the management level, our CISO, who reports to our Chief Information Officer, is responsible for overseeing the assessment and management of our material risks from cyber security threats. Our CISO has extensive experience and knowledge in cyber security as a result of 26 years of experience in leading security teams, developing security strategies, and managing risk across various industries. The CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through reports from a number of experienced information security officers responsible for various parts of the business and regularly reviewing risk management measures implemented by the Company to identify and mitigate cyber security risks.
The Company’s internal auditor and CISO are informed in the event of any significant cyber security incident and operate to comply with applicable laws regulations.
Cyber Security Risks
A material cyber security incident could materially affect our operations and production, including our ability to produce goods or provide services and our ability to timely and accurately produce financial reports. Further a cyber security incident could result in unauthorized access or disclosure of sensitive data, such as financial information, intellectual property, or customer, employee or supplier related data, including personally identifiable information. A material cyber incident could adversely affect our financial condition and results of operations, have as an adverse effect on our reputation and could result in legal actions against the Company. Please see the discussion under "Any unauthorized access to, disclosure, or theft of personal information we gather, store, or use could harm our reputation and subject us to claims or litigation." and "Third parties, our employees, or our vendors might gain unauthorized access to our network or seek to compromise our products and services" in Item 1A. Risk Factors for additional information.
To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. However, there can be no guarantee that we will not be the subject of future successful threats or incidents. The Company has not been subject to any information security breach penalties or settlement payments.