Shoals Technologies Group, Inc. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

Shoals Technologies Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 07:46:29 EST.

Filings

10-K filed on 2025-02-25

Shoals Technologies Group, Inc. filed a 10-K at 2025-02-25 07:46:29 EST
Accession Number: 0001831651-25-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity strategy focuses on striking a balance between data barriers and access, and promoting vigilance among our employees, contractors, and business partners. We monitor and implement procedures, policies, and activities designed to manage our data and to maintain a high level of privacy and security within our systems. In 2024, we continued the development of our enterprise risk program, which integrates cybersecurity. Our cybersecurity processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. We implemented risk-based controls to protect our information, the information of our customers and other third parties, our information systems, our business operations, and our products and related services. We have an information security risk program structured according to the National Institute of Standards and Technology Cybersecurity Framework, industry best practices, privacy legislation, and other standards and regulations. Our program includes a defense-in-depth approach with multiple layers of security controls, including network segmentation, security monitoring, endpoint protection, and identity and access management, as well as data protection best practices and data loss prevention controls. Through our cybersecurity program, we continuously monitor cybersecurity vulnerabilities and potential attack vectors and evaluate the potential operational and financial effects of any threat and of cybersecurity risk countermeasures made to defend against such threats. In addition, we maintain specific policies and practices governing our third-party security risks, including our third-party assessment process. Under this assessment process, we gather information from certain third parties who contract with us and share or receive data, to help us assess potential risks associated with their security controls. We also generally require third parties to, among other things, maintain security controls to protect our confidential information and data, and notify us of material data breaches that may impact our data. We assess the risks from cybersecurity threats that impact select third-party service providers with whom we share personal identifying and confidential information. We continue to evolve our oversight processes to mature how we identify and manage cybersecurity risks associated with the services we procure from such third parties. Our cybersecurity awareness program includes regular phishing simulations, and quarterly general cybersecurity awareness and data protection modules for all employees with network access, as well as more contextual and personalized modules for targeted users and roles. We complete annual internal security audits and vulnerability assessments of the Company’s information systems and related controls, including systems affecting personal data. In addition, we leverage cybersecurity specialists to complete annual external audits and objective assessments of our cybersecurity program and practices, including our data protection practices, as well as to conduct targeted attack simulations. We have also purchased network security and cyber liability insurance in order to provide a level of financial protection, should a data breach occur. However, such insurance may not be sufficient to cover all of our potential losses and may not continue to be available to us on acceptable terms, or at all. In 2024, we did not experience any material cybersecurity incident. However, future incidents could have a material impact on our business strategy, results of operations, or financial condition. For additional discussion of the risks posed by cybersecurity threats, see Item 1A. “Risk Factors-The unauthorized access to our information technology systems or the disclosure of personal or sensitive data or confidential information, whether through a breach of our computer system or otherwise, could severely disrupt our business or reduce our sales or profitability” and “Failure of our information technology systems, including those managed by third parties, whether intentional or inadvertent, could lead to delays in our business operations and, if significant or extreme, affect our results of operations.” Governance Our board of directors reviews our management of cybersecurity risks, and our Audit Committee has been delegated primary oversight of such risks and the steps our management has taken and takes to monitor and control these exposures. Our data privacy and security program is overseen by our Vice President of IT, who presents to the Board on an annual basis. Starting in 2024, our Board receives quarterly briefings on cybersecurity matters and the Company’s efforts to prevent, detect, mitigate, and remediate cybersecurity risks. Our Audit Committee also receives regular briefings on cybersecurity matters, including cybersecurity threats and receives details on any significant cybersecurity incidents. Our Vice President of IT leads our dedicated Information Technology team (“IT team”), which executes on our data privacy and information security programs and policies, and our Cyber Incident Response Team (“IRT”), which executes on our incident response procedures in the event of a data privacy or security event and conducts annual exercises simulating cybersecurity and data breach incidents. The IRT is comprised of internal members from the finance, legal, human resources, and operations departments, as well as external cybersecurity vendors and advisors. The members of our IRT understand the complexities of our business and are experienced in the financial, legal, regulatory and operational consequences of a cybersecurity incident or threat to the Company. The IT team is led by Shoals’ Vice President of IT, Gerald Jowers, who joined in 2024 with 30 years of technology experience.

Company Information