Alarm.com Holdings, Inc. - (ALRM)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY

Our business is highly dependent on the processing and storage of significant amounts of data, and we have invested and will continue to invest in measures to secure this data. We have implemented and maintain a comprehensive information security program consisting of policies, procedures, and technology designed to maintain the privacy, security and integrity of our data, intellectual property, confidential information, systems and networks. Our information security program is informed by externally established sets of standards, such as those of the National Institute of Standards and Technology and the Center for Internet Security. Among other things, the program includes controls designed to limit and monitor access to our systems, networks and data, prevent inappropriate or unauthorized access or modification, and monitor for threats or vulnerability. We maintain disaster recovery solutions and implement enhancements as necessary and also use technologies that assist in preventing theft and abuse of credentials and sensitive data. We also have third parties perform penetration tests as well as security assessments of mobile applications. Our information security program also includes third-party risk management processes that help us oversee and identify risks from our use of third-party service providers. Additionally, we focus our efforts on education and training for employees regarding cybersecurity and implementing security controls for contractors. We also engage consultants to conduct cybersecurity assessments and preparedness analysis. We primarily conduct our business in the United States and are expanding internationally in various other countries. Conducting expanded international operations subjects us to additional risks, including our exposure to cybersecurity incidents.

The risks related to cybersecurity change rapidly, and we aim to update our information security program as frequently as reasonably possible to achieve commercially accepted levels of preparedness. In addition to the core operating environment of Alarm.com, we also have acquired businesses and subsidiaries that in some cases operate data infrastructure that is distinct from the Alarm.com operating environment, and therefore have distinct data security vulnerabilities. The overall management of cybersecurity risk involves coordination between Alarm.com and our acquired businesses and subsidiaries, and data security risks in these entities may be heightened where the technology platform is less mature than the Alarm.com core platform.

We have established an Information Security team led by our Chief Information Officer, which is responsible for assessing, identifying and managing risks from cybersecurity threats. Managing cybersecurity risk has been integrated into our overall risk management system and is a priority that we monitor and review regularly with our Board of Directors. The Information Security team works closely with our Legal team to make determinations whether a cybersecurity incident has occurred and whether the incident has materially impacted or is reasonably likely to materially impact us. If a cybersecurity incident is deemed material, the incident is communicated to various members of the Alarm.com leadership team and with the Board of Directors. The Board of Directors oversees our overall risk management system, including cybersecurity risks. A member of the Information Security team presents at quarterly Board meetings and discusses specific risk areas, including those relating to cybersecurity.

To date, there have not been any cybersecurity threats or incidents that have materially impacted or are reasonably likely to materially impact our business strategy, results of operations or financial condition. In the ordinary course of business, we have experienced and will continue to experience cyber threats and incidents of varying degrees. Refer to Item 1A. “Risk Factors” for a discussion of risks related to data security and the associated risks to our business.
51