Array Technologies, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Array Technologies, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 20:15:31 EST.

Filings

10-K filed on 2025-02-28

Array Technologies, Inc. filed a 10-K at 2025-02-28 20:15:31 EST
Accession Number: 0001820721-25-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our commercial success depends on developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity and availability of our data. Accordingly, we have adopted processes designed to identify, assess and mange material risks from cybersecurity threats. Managing Material Risks & Integrated Enterprise Risk Management We are working to strategically integrate cybersecurity risk management into our broader enterprise risk management program to promote a company-wide culture of cybersecurity risk management. Our enterprise risk management project team is working closely with our IT department to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs while building out a framework to monitor those risks and integrate objectives into our broader strategic plan. Engaging Third Parties on Risk Management Given the complexity and evolving nature of cybersecurity threats, we have engaged a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating, testing, and improving our risk management systems. These partnerships enable us to leverage specialized knowledge and insights and includes regular audits, threat assessments, and consultation on security enhancements. Overseeing Third Party Risk The need to govern third party service providers and vendors poses significant challenges, and as a result we have implemented processes to oversee and manage these risks. Our procedures contemplate conducting security assessments of all third-party providers that are proportional to the risks present, ideally before or soon after engagement, and periodically thereafter, in order to mitigate risks related to data breaches or other security incidents originating from third parties. Risks from Cybersecurity Threats We have not encountered cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition, although we cannot rule out that a cyber-attack in the future could materially affect our ability to operate. Governance Our board of directors is aware of the critical nature of managing risks associated with cybersecurity threats. In recognition of the significance of these threats to our operational integrity and shareholder confidence, our 36 board of directors has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats. Board of Directors Oversight The Nominating and Corporate Governance Committee of our board of directors bears primary responsibility for oversight of cybersecurity risks. The Nominating and Corporate Governance Committee is briefed on cybersecurity risks at least once each year and any material cybersecurity incidents by our chief information officer and our chief financial officer, as further described below. The Nominating and Corporate Governance Committee is composed of directors equipped with diverse skills needed to oversee the difference facets of cybersecurity risks effectively, including risk management, public company leadership, innovation and technology, corporate governance and finance. Management’s Role Managing Risk The chief information officer and the chief financial officer are responsible for updating the Nominating and Corporate Governance Committee on cybersecurity risks and our mitigation strategies. They provide quarterly updates to the Nominating and Corporate Governance Committee, as well as comprehensive briefings at least once per year and appropriate briefings during any potentially material cybersecurity incident. These briefings encompass a broad range of topics, including: - results of internal assessments and audits by third parties; - the current cybersecurity landscape and emerging threats; - the status of ongoing cybersecurity initiatives and strategies; - incident reports and lessons learned from any cybersecurity events; and - compliance with regulatory requirements and industry standards. In addition to regular scheduled meetings, the Nominating and Corporate Governance Committee, our chief information officer and our chief executive officer maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive periodic updates on significant developments in the cybersecurity landscape to support proactive and responsive board oversight. The Nominating and Corporate Governance Committee actively participates in strategic decisions related to cybersecurity, reviewing and offering guidance on major initiatives and any potentially material cybersecurity incident. This involvement ensures that cybersecurity considerations are integrated into our broader strategic objectives. Risk Management Personnel Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the chief information officer, Jovan Kangrga. Mr. Kangrga has managed cybersecurity and information security at Array for the past five years and has over 14 years of total experience as an information technology executive for publicly listed companies. Mr. Kangrga holds B.S. degrees in finance and computer science from Arizona State University as well as a M.B.A. from Western International University. He manages a team with over 40 years of combined experience in cybersecurity. Our chief information officer reports to our chief financial officer, and both our are responsible for updating the chief executive officer, the Nominating & Corporate Governance Committee, and our board of directors on cybersecurity issues. Ongoing Education and Monitoring The chief information officer leads our cybersecurity team, which remains current with the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing 37 education is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The chief information officer implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits, including penetration testing, to identify potential vulnerabilities. In the event of a cybersecurity incident, we are equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Reporting to the Board of Directors The chief information officer regularly informs the chief financial officer and chief executive officer of all significant aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential significant risks facing the Company. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Nominating and Corporate Governance Committee of our board of directors and, in certain cases, the board itself, ensuring that they have comprehensive oversight and can provide guidance on any potentially material cybersecurity incident.

Company Information