Shoals Technologies Group, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Shoals Technologies Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:52:32 EST.

Filings

10-K filed on 2024-02-28

Shoals Technologies Group, Inc. filed an 10-K at 2024-02-28 16:52:32 EST
Accession Number: 0001831651-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity strategy focuses on striking a balance between data barriers and access, and promoting vigilance among our employees, contractors, and business partners. We monitor and implement procedures, policies, and activities designed to manage our data and to maintain a high level of privacy and security within our systems. In 2023, we undertook an in-depth enterprise risk analysis and designed a program to address the most significant risks affecting our business. Our newly-developed enterprise risk program integrates cybersecurity. Our cybersecurity processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers and other third parties, our information systems, our business operations, and our products and related services. We have an information security risk program structured according to the National Institute of Standards and Technology Cybersecurity Framework, industry best practices, privacy legislation, and other standards and regulations. Our program includes a defense-in-depth approach with multiple layers of security controls, including network segmentation, security monitoring, endpoint protection, and identity and access management, as well as data protection best practices and data loss prevention controls. Through our cybersecurity program, we continuously monitor cybersecurity vulnerabilities and potential attack vectors and evaluate the potential operational and financial effects of any threat and of cybersecurity risk countermeasures made to defend against such threats. In addition, we maintain specific policies and practices governing our third-party security risks, including our third-party assessment process. Under this assessment process, we gather information from certain third parties who contract with us and share or receive data, to help us assess potential risks associated with their security controls. We also generally require third parties to, among other things, maintain security controls to protect our confidential information and data, and notify us of material data breaches that may impact our data. We assess the risks from cybersecurity threats that impact select third-party service providers with whom we share personal identifying and confidential information. We continue to evolve our oversight processes to 33 Table of Contents mature how we identify and manage cybersecurity risks associated with the services we procure from such third parties. Our cybersecurity awareness program includes regular phishing simulations, and quarterly general cybersecurity awareness and data protection modules for all employees with network access, as well as more contextual and personalized modules for targeted users and roles. We complete annual internal security audits and vulnerability assessments of the Company’s information systems and related controls, including systems affecting personal data. In addition, we leverage cybersecurity specialists to complete annual external audits and objective assessments of our cybersecurity program and practices, including our data protection practices, as well as to conduct targeted attack simulations. We have also purchased network security and cyber liability insurance in order to provide a level of financial protection, should a data breach occur. However, such insurance may not be sufficient to cover all of our potential losses and may not continue to be available to us on acceptable terms, or at all. In 2023, we did not experience any material information security breach or incident. However, future incidents could have a material impact on our business strategy, results of operations, or financial condition. For additional discussion of the risks posed by cybersecurity threats, see Item 1A. Risk Factors Failure to effectively utilize information technology systems or implement new technologies and the unauthorized disclosure of personal or sensitive data or confidential information, whether through a breach of our computer system or otherwise, could severely disrupt our business or reduce our sales or profitability and Compromises, interruptions or shutdowns of our information technology systems, including those managed by third parties, whether intentional or inadvertent, could lead to delays in our business operations and, if significant or extreme, affect our results of operations. Governance Our board of directors reviews our management of cybersecurity risks, and our Audit Committee has been delegated primary oversight over such risks and the steps our management has taken to monitor and control these exposures. Our data privacy and security program is overseen by our IT Director who has presented to the Board on an annual basis. Our Audit Committee also receives briefings on significant cybersecurity incidents. Our IT Director leads our dedicated Information Technology team ( IT team ), which executes on our data privacy and security programs and policies, and our Cyber Incident Response Team ( IRT ), which executes on our incident response procedures in the event of a data privacy or security event and conducts annual exercises simulating cybersecurity and data breach incidents. The IRT is comprised of internal members from the finance, legal, human resources, and operations departments, as well as external cybersecurity vendors and advisors. The members of our IRT understand the complexities of our business and are experienced in the financial, legal, regulatory and operational consequences of a cybersecurity incident or threat to the Company. Our IT Director is Joe Rogers. He has 35 years of experience in information technology and cybersecurity, having been at the Company in his role as IT Director since 2022.

Company Information