Altus Power, Inc. 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

Altus Power, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 17:02:00 EDT.

Filings

10-K filed on 2025-03-17

Altus Power, Inc. filed a 10-K at 2025-03-17 17:02:00 EDT
Accession Number: 0001828723-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our process for assessing, identifying, and managing material risks from cybersecurity threats alongside other risks is an integral part of our overall risk management system. This process is achieved by implementing specific controls, continuous monitoring, collaborative response plans, and regular reviews. Integration ensures a comprehensive view of risk and facilitates informed decision-making and a proactive approach to risk management. We employ various cybersecurity frameworks to ensure comprehensive protection of our systems and data, such as the NIST Cybersecurity Framework and elements of the CIS Controls Framework. By aligning with these standards and leveraging industry-specific best practices, we create a cybersecurity strategy to address the challenges of the solar power sector. Additionally, our cybersecurity disclosures are designed to align with the SEC’s evolving guidance on cybersecurity risk management, ensuring we remain transparent and proactive in communicating our cyber risk posture. Regular assessments are conducted to identify potential cybersecurity risks across our organization, ensuring a comprehensive understanding of our risk exposure. To support our capabilities, we engage assessors, consultants, auditors, and other third parties with specialized expertise in cybersecurity. Their assessments cover various aspects of our infrastructure, including penetration testing, vulnerability assessments, and compliance audits, enabling us to strengthen our defenses against current and emerging threats. We also conduct regular company-wide security awareness training and phishing exercises to help our employees stay vigilant against evolving cyber threats. This training is updated at least annually and includes targeted education for higher-risk roles to ensure employees adhere to best practices. We maintain a formal incident response plan (IRP) and business continuity/disaster recovery (BC/DR) procedures to ensure we can rapidly respond to and recover from cybersecurity incidents. These procedures, which include clear escalation paths and responsibilities in the event of a cybersecurity incident, are tested and updated annually to ensure their effectiveness. Additionally, we have established processes to oversee and identify cybersecurity risks associated with third-party service providers. Thorough evaluations of their cybersecurity practices are conducted before engagement, ensuring our standards are met. Contractual agreements include requirements that enforce compliance with our security protocols, mitigating risks associated with third-party interactions. Cybersecurity threats have the potential to disrupt our day-to-day operations, compromise sensitive data, and damage our reputation. While we have not experienced any material cybersecurity incidents to date, we acknowledge the potential impact of such threats on our business strategy, operations, and financial status. We also maintain cyber liability insurance coverage to help mitigate potential financial losses arising from certain cyber-related incidents, though it may not extend to all significant events. Additionally, regulatory fines or legal liabilities resulting from data breaches or non-compliance with cybersecurity standards will have a significant financial impact. The Board of Directors provides supervision of cybersecurity risks to ensure the security of our company’s operations. The Board of Directors receives quarterly updates on cybersecurity threats, vulnerabilities, and incidents from management, specifically from the Chief Digital Officer and IT Manager. These updates include information on the prevention, detection, and remediation of cybersecurity incidents, as well as monitoring key performance indicators, such as the effectiveness of security controls and overall cybersecurity posture. Management plays a critical role in assessing and managing the company’s material risks from cybersecurity threats. Cybersecurity efforts are overseen by the Chief Digital Officer , supported by a dedicated team. The Chief Digital Officer has over 20 years of experience in leadership roles in the digital domain at renowned organizations such as Nasdaq and TIAA. Their expertise encompasses a deep understanding of cyber threats, risk management strategies, and regulatory compliance requirements, which positions the Chief Digital Officer to lead the company against evolving cyber-related threats. Notwithstanding our efforts described above, the Company cannot guarantee that it will be successful in identifying and preventing all cybersecurity risks. For a discussion of how the occurrence of such risks may impact Altus’ business, see the section entitled “Risk Factors” above. 33

Company Information