Enphase Energy, Inc. - (ENPH)

10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity
Risk management and Strategy
We rely on information technology and data to operate our business and develop, market and deliver our products and services to our customers. Our critical information technology includes certain computer networks, third-party hosted services, communications systems, software, personal computers and servers (collectively, “Information Technology"), and our critical data includes certain confidential, personal, proprietary and sensitive data (collectively “Confidential Data”). Accordingly, we maintain risk assessment processes designed to identify cybersecurity threats relating to such Information Technology and Confidential Data, and assess potential material impact to our business that may result from such threats. Based on our assessment, we implement and maintain risk management processes designed to protect the confidentiality, integrity and availability of our Information Technology and Confidential Data and mitigate material harm to our business.
We identify such threats by, among other methods, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting threat assessments for internal and external threats, and conducting vulnerability assessments.
In the event a threat results in a cybersecurity incident, we have a process for escalating certain cybersecurity incidents from our security team up through our security leadership and ultimately to management.
Based on our risk assessment process, we implement and maintain various technical, physical and organizational processes designed to manage and mitigate cybersecurity risks that could affect our Information Technology and Confidential Data, and potential material impacts that may result from such risks. We have implemented measures designed to prevent, detect, respond to, mitigate and recover from identified and significant cybersecurity threats. The cybersecurity risk management processes we maintain for our Information Technology and Confidential Data, depending on the particular environment and system processes, are designed to address cybersecurity threats; incident response; vulnerability management; business continuity; incident detection and response; internal and external evaluations to assess our exposure to cybersecurity threats, environment, compliance with risk mitigation procedures, and effectiveness of relevant controls; documented risk assessments; encryption of data; network security; threat modeling; physical and electronic access; physical security; asset management, tracking and disposal; systems monitoring; vendor risk management; employee security training; penetration testing; cyber insurance; and the maintenance of a dedicated cybersecurity team.
To operate our business, we utilize certain third-party service providers to perform a variety of functions and provide certain security-related services, such as outsourced business critical functions, professional services, SaaS platforms, managed services, cloud-based infrastructure, data center facilities, content delivery to customers, encryption and authentication technology, corporate productivity services, and other functions; as well as third parties that assist us to identify, assess and manage cybersecurity risks, including professional services firms, threat intelligence service providers, cybersecurity software providers, penetration testing firms and other vendors that help to identify, assess or manage cybersecurity risks. For certain vendors, our vendor management process includes evaluating the cybersecurity practices of such provider and contractually imposing obligations on the provider related to the services they provide and/or the information they process.
For a description of the risks from cybersecurity threats that may materially affect the company and how those risks may affect the company, please refer to Part I, Item 1A. Risk Factors—Risks Related to our Intellectual Property and Technology of this Annual Report on Form 10-K for additional information about cybersecurity-related risks.
Enphase Energy, Inc. | 2023 Form 10-K | 45

Table of Contents
Governance
Our board of directors oversees our overall risk management strategy. The Audit Committee has general oversight with respect to cybersecurity risk. The Audit Committee has established a cybersecurity subcommittee to discuss issues and risks related to cybersecurity, and it includes one of our board members with cybersecurity experience, and holds regular meetings. This subcommittee has a dedicated agenda during such meetings that are designed to assist the Audit Committee with its cybersecurity oversight and allow it to report to the full Board if necessary. The meetings involve presentations and reports from our management, security leadership and information security team, including updates on relevant cybersecurity threats faced by the company and steps we are taking to address them.
Our management team is involved with our efforts to prevent, detect, and mitigate cybersecurity incidents by overseeing the implementation and maintenance of our cybersecurity policies and procedures and activities carried out in furtherance of those policies and procedures. The Vice President of Information Technology leads our cybersecurity risk management efforts and helps us assess cybersecurity risks, establish priorities, and determine the scope and details of our cybersecurity program. We have identified certain members of management and relevant employees to oversee our cybersecurity incident response and vulnerability management processes.