Sunnova Energy International Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Sunnova Energy International Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 06:06:26 EST.

Filings

10-K filed on 2024-02-22

Sunnova Energy International Inc. filed an 10-K at 2024-02-22 06:06:26 EST
Accession Number: 0001772695-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity, Risk Management and Strategy Sunnova allocates significant resources to preventing, identifying, and mitigating cybersecurity threats to our technology infrastructure and data. Managing Material Risks and Integrated Overall Risk Management A focused team of technology professionals works throughout the year to assess and monitor all matters of risk related to cybersecurity. This team is managed by our Chief Information Security Officer (“CISO”), who oversees cybersecurity processes and controls. We deploy a robust combination of security technologies as technical safeguards throughout our network and utilize a defense-in-depth security methodology to protect, detect and react to threats to our systems and data. We conduct cybersecurity maturity and posture assessments twice annually and adjust our efforts to adapt to the evolving industry and threat 61 Table of Contents landscape. Cybersecurity risks are also assessed as part of our Annual Enterprise Risk Assessment. Our risk management strategy includes multiple programs that manage cybersecurity risk, including the following: Alignment of our program with the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) to prevent, detect and respond to cyberattacks Our Incident Response Program outlines how we process incidents and events from identification to completion with clear definitions on roles, classifications, materiality guidelines and additional processes to support response efforts according to the NIST CSF. An information security training program that requires all company employees and contractors with access to our networks to participate in regular and mandatory training on how to be aware of, and help defend against, cyber risks, combined with year-round awareness testing and re-training as necessary Regular and robust testing of our systems and processes to assess our cybersecurity posture and resilience, which includes internal and external penetration testing performed by third-party vendors and tabletop incident response exercises Coordinated engagements with the Department of Homeland Security and Cyber & Infrastructure Security Agency to ensure alignment with industry and government standards and leverage access to agency resources Cybersecurity insurance coverage to mitigate the risk of cybersecurity incidents and review of this coverage annually Results of all assessments, events and test results inform cybersecurity program direction and activities taken throughout the year. Engaging Third Parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity risk, we leverage strategic external partnerships to assist with assessing and mitigating cybersecurity threats to us. For example, we utilize a third-party managed security service provider who performs security operations center consulting and investigative duties as a backup to our in-house dedicated cybersecurity team. Managing Third-Party Risk We recognize the risks associated with the use of vendors, service providers and other third parties that provide information system services to us, process information on our behalf or have access to our information systems, and we have processes in place to oversee and manage these risks. We conduct thorough security assessments of these third parties engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. Risks from Cybersecurity Incidents As of December 31, 2023, we have identified no security incidents or breaches that are material, or likely to be material, to our business strategy, results or financial condition. As such, we have not allocated any material capital towards addressing information security breaches in the last three years, nor have we incurred any material expenses from penalties and settlements related to a material breach during this period. The materiality of an incident is determined by a team convened for an incident, according to guidelines set forth in our incident response policy and process documentation. We believe we are adequately insured against losses related to possible information security breaches and we maintain cybersecurity insurance coverage that we believe is appropriate for the size and complexity of our business. Board Governance and Oversight We involve multiple levels of oversight as a part of our approach to cybersecurity risk management. Risk Management Personnel Our CISO is responsible for the oversight, implementation and compliance of our cybersecurity program and mitigation of cyber-related risks. Our current CISO has more than 20 years of industry experience and over 5 years of experience with development, training and controls of effective enterprise cybersecurity programs. Our CISO’s responsibilities include, but are not limited to, (a) reviewing our enterprise risk register and functional risk register, (b) maintaining adequate processes to manage the identified risks under our cybersecurity program, (c) analyzing logs of cybersecurity threats and vulnerabilities, (d) overseeing prevention, detection, mitigation and remediation efforts and (e) developing, maintaining and ensuring team familiarity with the above mentioned incident response plan. Additionally, we maintain an experienced information technology 62 Table of Contents team at the employee level that supports the implementation of our cybersecurity program and internal reporting, security and mitigation functions. Board of Director Oversight Our Board has delegated oversight of risks from cybersecurity threats, as well as overall Enterprise Risk Management, to our audit committee. The audit committee reviews and evaluates the effectiveness of our cybersecurity frameworks, policies, programs, opportunities and risk profile, as well as our business continuity and disaster recovery efforts. Members of our audit committee have cybersecurity experience from their principal occupation or other professional experience. Members of information technology management, including our CISO, regularly report on our cybersecurity matters to both the audit committee of our Board and the full Board, as follows: Management provides quarterly reports to the audit committee regarding our cybersecurity program and risks, and the audit committee in turn provides reports to the full Board as needed. All incidents with critical functional impact are escalated to the Board and audit committee. Current information security concerns that arise during the year are escalated in real-time to leadership based on the process defined in our Incident Response Plan. All events and incidents are evaluated against our prioritization and informational impact matrices outlined the plan. We recognize cyber threats are a permanent part of the overall risk landscape and cybersecurity threats are constantly evolving. For these and other reasons, cybersecurity is a top risk management priority for us.

Company Information