ORMAT TECHNOLOGIES, INC. - (ORA)
10-K Filing Date: February 23, 2024
Risk management and strategy
We prioritize the management of cybersecurity risk and the protection of information across our enterprise by embedding data protection and cybersecurity risk management in our operations. Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes.
As a foundation of this approach, our privacy and security policies govern our business lines and subsidiaries. We monitor the privacy and security regulations applicable to us in the regions where we do business as well as proposed privacy and security regulations and emerging risks.
We conduct internal and external penetration testing and risk assessments on a regular basis, and have engaged consultants, auditors and other relevant third parties to assist us with cybersecurity risk management processes. Our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks. Computer viruses, hackers, and employee or vendor misconduct, and other external hazards could expose our data systems and those of our vendors to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our ability to conduct our business. While we have experienced cybersecurity incidents, to date, we are not aware that we have experienced a material cybersecurity incident. The sophistication of cybersecurity threats continues to increase, and the controls and preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may be insufficient. In addition, new technology that could result in greater operational efficiency may further expose our computer systems to the risk of cybersecurity incidents. For more information, see Part I of this Annual Report, Item 1A “Risk Factors—Risks Related to the Company’s Business and Operation—A cyber-incident, cyber security breach, severe natural event or physical attack on our operational networks and information technology systems could have a material adverse effect on our financial condition, results of operations, liquidity and cash flows.”
Governance
As part of our overall risk management approach, we prioritize the management of cybersecurity risk at several levels, including Board oversight, executive commitment and employee training. Our Audit Committee, comprised fully of independent directors from our Board, oversees the Board’s responsibilities relating to cybersecurity risks. Our Audit Committee is informed of such risks through reports from our Chief Information Officer (“CIO”) on at least an annual basis.
Our Chief Information Security Officer (“CISO”), who has been a chief information security officer at Ormat for six years, is certified by the International Information System Security Certification Consortium as an Information Systems Security Management Professional (“ISSMP”), as an Information Systems Security Architecture Professional (“ISSAP”), and as a Certified Information Systems Security Professional (“CISSP”). Our CISO oversees compliance of our information security (“IS”) standards and mitigation of IS risks. We also have the following internal bodies to support our processes to assess and manage cybersecurity risk as follows:
• | The Crisis Incident Management Team, which includes members of the executive management team, the CIO, CISO, and other senior executives across the Company, is alerted as appropriate to cybersecurity incidents, as well as other crises, such as natural disasters and outages. This team also periodically oversees tabletop drills on various cybersecurity incidents. |
• | The Cyber Risk Disclosure Committee brings together senior management, including the CEO, CFO, General Counsel and other relevant functions to review the materiality of cyber incidents for disclosure purposes. The Cyber Risk Disclosure Committee members are also part of the Crisis Incident Management team. |
• | The IT leadership team, led by our Chief Information Officer, oversees IT initiatives while considering cybersecurity risk mitigation with respect to these initiatives. The team provides periodic presentations to senior management and the Board on cybersecurity risk and mitigation. |
• | The VP of Technical and Maintenance chairs monthly cybersecurity meetings to review cyber risks or threats related to the operations of our geothermal projects. |
At the level of the general employee population, we hold trainings on privacy and information security, records and information management, and information security regulatory compliance, conduct phishing tests and generally seek to promote awareness of cybersecurity risk through broad communication and educational initiatives, depending on the employee’s level, role and exposure to sensitive systems and the associated cybersecurity risk profile. We also contract with an external vendor to monitor alerts in real time on cybersecurity incidents.