SOLAREDGE TECHNOLOGIES, INC. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

SOLAREDGE TECHNOLOGIES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 08:51:57 EST.

Filings

10-K filed on 2025-02-25

SOLAREDGE TECHNOLOGIES, INC. filed a 10-K at 2025-02-25 08:51:57 EST
Accession Number: 0001178913-25-000605

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C . Cybersecurity Cyber security risk is an area of increasing focus for our Board, particularly as an increasingly significant part of our operations rely on digital technologies. As a result, we have implemented a cyber security program to assess, identify, and manage risks from cyber security threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems. This program has been integrated into the Company’s overall risk management process. We design and assess our cybersecurity program based on the CIS Controls and NIST Cybersecurity Framework (CSF). These frameworks provide us with a common language and structure for identifying, assessing, and managing cybersecurity risks across our organization. We do not claim to comply with any technical standards, specifications, or requirements by using these frameworks. They are guides that help us to deal with the cybersecurity risks that are relevant to our business. Our cybersecurity program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. To this end, we have implemented a cybersecurity program that includes the following elements: ▪ A Cybersecurity Manager responsible for developing and maintaining our administrative, technical, and physical cybersecurity controls. ▪ Risk assessments designed to identify material cybersecurity risks to our critical systems and information. ▪ A Security Operations Center (SOC) to monitor our critical infrastructure and execute immediate, human-led responses to confirmed threats. 36 ▪ External technology and security providers, where appropriate, to assess, test or otherwise assist with aspects of our cybersecurity program. ▪ Cybersecurity awareness training for employees and supplemental training for senior management and other personnel who access highly sensitive information ▪ A third-party risk management process and questionnaire for service providers and vendors who access sensitive information. ▪ A trained incident response team and written procedures to navigate the incident response lifecycle. Based on the information that we have to date, we have not identified risks from known cybersecurity threats, including any prior cybersecurity incidents, that have materially affected, including our operations, business strategy, results of operations, or financial condition. and, as of the date of this Annual Report on Form 10-K, the Company is not aware of any material risks from cybersecurity threats that are reasonably likely to do so. However, we cannot eliminate all risks from cybersecurity threats or provide assurances that the Company will not be materially affected by such risks in the future. There can be no guarantee that our policies, programs and controls, and those of our third-party vendors, including those described in this section, will be sufficient to protect our information, information systems or other property. Additional information on cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors,” which should be read in conjunction with the foregoing information. Risk Management and Strategy While we follow IoT cybersecurity standards and regulations, our products and information systems are potentially subject to cyber risks of data leakage and operational damages. To protect our products and information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, annual cyber testing, internal auditing, monitoring and detection tools, and a bug bounty program to allow security researchers to assist us in identifying vulnerabilities in our products before they are exploited by malicious threat actors. Any reported vulnerability is analyzed and reported to our Chief Information Security Officer (“CISO”). As part of our program to mitigate risk from cyber security threats, the Company actively evaluates and refines its cyber security tools and processes with the intention of reducing cyber security risks and aligning with the National Institute of Standards and Technology Cyber-security Framework for risk management. Features of our cybersecurity program include: ◦ Processes designed to comply with information security standards and privacy regulations, including the European Union’s General Data Protection Regulation. ◦ Maintenance of an ISO 27001 Information Security Management Standard certification. ◦ Implementation of a variety of security controls, such as firewalls, and intrusion detection systems. ◦ Protection against Denial-of-Service attacks which prevent legitimate use of our services. ◦ Security events monitoring in our security operations center. ◦ Development of incident response policies and procedures designed to initiate remediation and compliance activities in a timely manner. ◦ Implementation of data loss prevention tools. ◦ Implementing an ID management system to enforce granular role-based access controls. ◦ Performing penetration testing on cloud and app platform. ◦ Administration of a comprehensive cyber security awareness program to educate employees about cyber security risks and best practices. ◦ Retention of a third-party, independent cyber security firm to conduct cyber security assessments of our systems and procedures. ◦ Employment of a responsible disclosure policy, which includes a Bug Bounty Program designed to help identify and fix any potential flaws in the company’s services or products. Third Party Cybersecurity Oversight We have implemented governance processes designed to monitor, evaluate, and mitigate security risks that may arise from a relationship with a third party vendor, partner, or customer. These security measures include: ◦ Vendor security assessments - Evaluating the cybersecurity protection that key vendors employ, prior to and during engagement. ◦ Insurance risk assessments - conducted by our insurance providers in order to evaluate cybersecurity related exposure. 37 ◦ Operational Technology Security - Implementing security measures within some of our manufacturing facilities to enhance our cybersecurity protection. ◦ Secure customer data management - Solutions designed to safeguard customer data and critical systems. We engaged a well-known external firm to audit our compliance with the European Union’s NIS 2.0 Directive (the Directive on Security of Network and Information Systems). This audit is being conducted to confirm that our cybersecurity practices align with the latest regulatory requirements and best practices for managing the security of critical infrastructure and services. The Technology Committee receives periodic reports from management on our cybersecurity program and risks. In addition, management updates the Technology Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Technology Committee reports to our Board regarding its risk management functions, including those related to cybersecurity. Governance & Oversight The Board has delegated primary oversight of the Company’s risks from cybersecurity threats to the Technology Committee. Our management team, including our CISO, provides quarterly updates to our Technology Committee and annually to the full Board regarding our cyber security activities and other developments impacting our digital security. We have protocols by which certain cyber security incidents are escalated within the Company and, where appropriate, reported to the Board and Technology Committee in a timely manner. At the management level, our CISO, who reports to our Chief Information Officer , is responsible for overseeing the assessment and management of our material risks from cyber security threats. Our CISO has extensive experience and knowledge in cyber security as a result of 27 years of experience in leading security teams, developing security strategies, and managing risk across various industries. The CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through reports from a number of experienced information security officers responsible for various parts of the business and regularly reviewing risk management measures implemented by the Company to identify and mitigate cyber security risks.

Company Information