Sunrun Inc. - (RUN)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks.

To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity risks, their severity, and potential mitigation strategies. We employ various tools and services for such purposes, including network, cloud and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises. We also have a cybersecurity risk assessment process, which helps identify our cybersecurity threat risks by considering certain industry standards as well as by engaging third parties to assess the security posture of our information security program.

To manage our material risks from cybersecurity threats, we take certain measures, including the below listed activities, depending on the nature of the relevant systems, data, and environment:

undertaking period reviews of our consumer-facing policies and statements;

conduct phishing email simulations for employees and contractors with access to corporate email systems;

require employees, and certain service providers, to treat customer information with care;

running tabletop exercises to simulate a response to a cybersecurity incident;

carrying cybersecurity insurance that provides protection against the potential losses arising from a cybersecurity incident;

conducting annual cybersecurity awareness training for employees; and

maintaining an incident response plan to prepare for, detect, respond to, and recover from, cybersecurity incidents.

As part of our efforts to identify, assess, and manage material risks from cybersecurity threats, we engage third-party cybersecurity consultants and use them to, among other things, conduct a review of our cybersecurity program or conduct a tabletop exercise to help identify areas for continued focus, improvement and/or compliance.

Our processes also address cybersecurity risks associated with our use of third-party service providers, including those in our supply chain, which also include, but are not limited to, open-source software in our application development processes, or those who have access to our customer and employee data or our systems. Addressing these risks is part of our enterprise risk management program. Cybersecurity risks affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our critical systems, data or facilities that house such systems or data, and monitor cybersecurity threat risks identified through such diligence. Additionally, we may impose contractual requirements related to cybersecurity on certain third parties that could pose significant cybersecurity risk to us and require them to agree to audits as appropriate.

We describe the risks from cybersecurity threats that may materially affect us and how they may do so under the heading “Risks Related to Our Business Operations” under Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.

Cybersecurity Governance

Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. Our approach is to treat cybersecurity not just as a technology issue, but to recognize that it can have wide-ranging impacts on the business, operations, and financials of our company.

50


Our Audit Committee is responsible for the oversight of risks from cybersecurity threats and receives updates from management quarterly. At least annually, the entire Board receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Audit Committee and Board generally receive materials including a cybersecurity scorecard and other materials indicating current and emerging material cybersecurity threat risks, and describing the company’s ability to mitigate those risks, and discuss such matters with our Chief Information Security Officer. Members of the Board are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.

Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Security Officer (CISO) in connection with our Chief Technology Officer, Chief Legal and People Officer, our Senior Vice President of Legal and Vice President, Internal Audit. Such individuals have extensive prior work experience and expertise spanning over three decades in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, managing cybersecurity operations and incident response, and incorporating security and privacy by design into software development programs, and our CISO has both CISSP and CRISC certifications.

These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.

As discussed above, these members of management report to the entire Board about cybersecurity threat risks, among other cybersecurity related matters at least annually, with updates to the Audit Committee on a quarterly basis.


51