Sunrun Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Sunrun Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:57:50 EST.

Filings

10-K filed on 2025-02-27

Sunrun Inc. filed a 10-K at 2025-02-27 16:57:50 EST
Accession Number: 0001469367-25-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity risks alongside other company risks as part of our overall risk assessment process. Our 51 enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity risks, their severity, and potential mitigation strategies. We employ various tools and services for such purposes, including network, cloud and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises. We also have a cybersecurity risk assessment process, which surfaces cybersecurity risks by measuring our posture against industry standards and engaging third parties to assess our information security program . To manage our material risks from cybersecurity threats, we take certain measures, including the below listed activities, depending on the nature of the relevant systems, data, and environment: - undertaking period reviews of our consumer-facing policies and statements; - conduct phishing security training for employees and contractors with access to corporate email systems; - require employees, and data service providers with whom we share customer, employee or partner data, to treat customer information with care; - running tabletop exercises to simulate a response to a cybersecurity incident; - carrying cybersecurity insurance that provides protection against the potential losses arising from a cybersecurity incident; - conducting annual cybersecurity awareness training for employees; and - maintaining an incident response plan to prepare for, detect, respond to, and recover from, cybersecurity incidents. As part of our efforts to identify, assess, and manage material risks from cybersecurity threats, we engage third-party cybersecurity consultants and use them to, among other things, conduct a review of our cybersecurity program or conduct a tabletop exercise to help identify areas for continued focus, improvement and/or compliance. In addition to maintaining a robust incident response plan, we regularly test our response capabilities through real-world simulations, post-incident reviews, and lessons-learned exercises to ensure continuous improvement in our ability to respond effectively to cybersecurity incidents. Our processes also address cybersecurity risks associated with our use of third-party service providers, including those in our supply chain, which also include, but are not limited to, open-source software in our application development processes, or those who have access to our customer and employee data or our systems. Our cybersecurity program is closely aligned with our commitment to data privacy. We adhere to applicable data protection laws and regulations, integrate privacy-by-design principles into our processes, and routinely assess our practices to ensure that we protect customer, employee, and partner information. Addressing these risks is part of our enterprise risk management program. Cybersecurity risks affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our critical systems, data or facilities that house such systems or data, and monitor cybersecurity threat risks identified through such diligence. Additionally, we may impose contractual requirements related to cybersecurity on certain third parties that could pose significant cybersecurity risk to us and require them to agree to audits as appropriate. Cybersecurity Incidents During the last fiscal year, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. While we have encountered routine cybersecurity threats and attempted attacks, such as phishing emails and malware attempts, our security measures have effectively mitigated these risks without causing material disruption. Despite our efforts, the risk of cybersecurity incidents remains, and we continue to monitor, adapt and enhance our security posture to address evolving threats. Any future cybersecurity breaches or system vulnerabilities could impact our business operations, reputation and regulatory compliance obligations. We remain committed to maintaining a robust cybersecurity program to mitigate these risks. 52 We provide disclosures on the potential material impacts of cybersecurity threats on our business operations, which are detailed under the heading ‘Risks Related to Our Business Operations’ in Item 1A of this Annual Report on Form 10-K, and those disclosures are incorporated by reference herein. Cybersecurity Governance Cybersecurity is a critical component of our enterprise risk management framework and a key area of focus for both our Board and management . Our approach is to treat cybersecurity not just as a technology issue, but to recognize that it can have wide-ranging impacts on the business, operations, and financials of our company. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats and receives updates from management quarterly. At least annually, the entire Board receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Audit Committee and Board generally receive materials including a cybersecurity scorecard and other materials indicating current and emerging material cybersecurity threat risks, and describing the company’s ability to mitigate those risks, and discuss such matters with our Chief Information Security Officer. Members of the Board are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also integrated into Board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our VP Information Security in connection with our Chief Technology Officer, Chief Legal and People Officer, our Senior Vice President of Legal and Vice President, Internal Audit. Such individuals have extensive prior work experience and expertise spanning over three decades in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, managing cybersecurity operations and incident response, and incorporating security and privacy by design into software development programs. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these members of management report to the entire Board about cybersecurity threat risks, among other cybersecurity related matters at least annually, with updates to the Audit Committee on a quarterly basis. 53

Company Information