Hannon Armstrong Sustainable Infrastructure Capital, Inc. 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

Hannon Armstrong Sustainable Infrastructure Capital, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 16:19:48 EST.

Filings

10-K filed on 2024-02-16

Hannon Armstrong Sustainable Infrastructure Capital, Inc. filed an 10-K at 2024-02-16 16:19:48 EST
Accession Number: 0001561894-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk management and strategy We have implemented and maintain various information security processes at each of our remote and office locations designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature ( Information Systems and Data ). Our Chief Technology Officer ( CTO ), who also serves as our chief information security officer, and Deputy Chief Information Security Officer ( Deputy CISO ) help identify, assess and manage our cybersecurity threats and risks. Collaborating with their team, they are responsible for steering the company-wide cybersecurity strategy, policy, standards, architecture, and processes. They also identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods. The Company s information security program, led by our CTO and Deputy CISO, collaborates with various departments within the organization, such as information technology, legal, enterprise risk management, human resources, accounting, finance, and internal audit, as well as external third-party partners. This collaboration aims to identify, mitigate, and plan for potential cybersecurity threats comprehensively. Additionally, the Company consistently evaluates and enhances its processes, procedures, and management approaches in response to evolving cybersecurity landscapes. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data. These include incident management, change management, network segmentation, cyber protection and containment, detection and response, and recovery. We measure our programs against the National Institute of Standards and Technology Cyber Security Framework and regularly test our controls and incident response plans. Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of our enterprise risk management program; (2) the information security function works with our leadership team to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business; (3) our CTO evaluates material risks from cybersecurity threats against our overall business objectives and reports to the Finance & Risk Committee of our board of directors (the Finance and Risk Committee ), which evaluates our overall enterprise risk. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, as well as to perform a variety of other functions throughout our business. We have enlisted the services of a third-party managed detection and response firm to conduct continuous monitoring of our information systems, including intrusion detection and alerting. We also regularly engage with assessors, consultants, auditors, and other third parties to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including Cybersecurity risks and cyber incidents may adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information, a misappropriation of funds, and/or damage to our business relationships, all of which could negatively impact our financial results. Governance Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The Finance & Risk Committee is responsible for overseeing the Company s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our CTO and Deputy CISO. The CTO and Deputy CISO have a combined four decades of information technology and cybersecurity leadership experience across public and private sectors. - 39 - Our CTO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. Our CTO and Deputy CISO are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response plan and vulnerability management processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our CEO, CFO, Chief Legal Officer and other members of our leadership team. Our leadership team works with our incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response plan and vulnerability management processes include reporting to our board of directors for certain cybersecurity incidents. The Finance & Risk Committee receives periodic reports from CTO concerning our significant cybersecurity threats and risk and the processes we have implemented to address them. The Finance & Risk Committee also receives various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.

Company Information