Greenbacker Renewable Energy Co LLC 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Greenbacker Renewable Energy Co LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 17:01:35 EDT.

Filings

10-K filed on 2024-03-28

Greenbacker Renewable Energy Co LLC filed an 10-K at 2024-03-28 17:01:35 EDT
Accession Number: 0001563922-24-000001

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Program As an energy transition, renewable energy and investment management company that acquires, constructs and operates renewable energy and energy efficient projects, as well as finances the construction and/or operation of these and other sustainable development projects and businesses and provides through GCM investment management services to funds within the sustainable infrastructure and renewable energy industry, cybersecurity risk management is an integral part of our overall enterprise risk management program. 37 Table of C ontents A robust cybersecurity program to protect our assets from cyber and information security threats is critical to managing risk effectively. Our cybersecurity program is designed to align with internationally recognized information security standards and best practices. Our multi-layered data protection and information security programs and practices are designed to ensure the safety, security and responsible use of the information and data our stakeholders entrust to us. The approach blends defense-in-depth and zero-trust principles. Our cybersecurity program is periodically informed and assessed by third-party assessments and advice regarding best practices from consultants, business partners and advisors and incorporates benchmarking and other data from peer companies. We have processes for evaluating (among other things) the data protection and information security infrastructure of our third-party providers (including examining any relevant records such as service organization controls reports), and we seek to manage third-party risk with procedures to onboard our third-party providers, monitor their activity during our engagement (where possible) and off-board such third-party service providers at the end of our engagement. We have implemented and maintain various measures to mitigate information security challenges, including maintaining an information security program, an enterprise resilience program, a business continuity program and cyber insurance coverage, as well as regularly testing our systems to discover and address any potential vulnerabilities. The Company also conducts periodic cybersecurity awareness training for employees and provides cybersecurity updates to its employees during regularly scheduled meetings. These updates are designed to educate employees and to raise awareness of cybersecurity threats to reduce vulnerability as well as to encourage consideration of cybersecurity risks. We monitor and respond to a range of cyber threats, including threats and incidents associated with the use of services provided by third-party providers. We utilize automation and artificial intelligence enabled tools to address threats. Our cybersecurity framework for handling cybersecurity threats and incidents includes steps for identifying the nature of a cybersecurity threat, assessing the severity of the threat (including advancing to key members of management where appropriate for determination of potential materiality) and implementing cybersecurity processes and procedures to address the threat. Despite our efforts to identify and respond to cybersecurity threats, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. Refer to Part I Item 1A. Risk Factors in this Annual Report, including Cybersecurity risks could result in the loss of data, interruptions in our business and damage to our reputation, and subject us to regulatory actions, increased costs and financial losses, each of which could have a material adverse effect on our business and results of operations, for additional discussion about cybersecurity-related risks. Governance Our Board of Directors and certain members of our senior management team have specific oversight responsibilities with respect to cybersecurity risk. Board of Directors and Committee Oversight Our Board of Directors is responsible for understanding the issues and risks that are central to our business, including cybersecurity matters. In general, our Board of Directors and senior management team coordinate to oversee our guidelines and policies with respect to risk assessment and risk management and the Audit Committee of our Board of Directors (the Audit Committee ) discusses our financial and operational risk exposures, and the steps management has taken to monitor and control such exposures. In this context, the Audit Committee would be informed of a material cybersecurity incident that could impact our financial statements. Senior Management s Role in Managing Risk We have a leadership group consisting of certain members of our senior management team that is responsible for assessing and managing risk and implementing policies, procedures and strategies pertaining to security governance and data privacy, that is led and informed by our VP of Technology who develops and oversees the programs, policies and controls we have implemented across the organization to reduce and prevent logical and physical risks, including information security and cyber risks to our people, intellectual property, data and tangible property. Our VP of Technology has over 20 years of relevant experience in roles such systems controls, audit, governance, software development/design, systems implementation, IT infrastructure operations, cybersecurity, and overall management of the technology function. Most of that experience has been in the energy and financial services sector. The Company has also engaged a third-party IT expert to assist the Company s in-house IT function in managing cybersecurity risks and evaluating, monitoring, and testing the Company s cybersecurity program. How Senior Management is Informed of and Monitors Incidents 38 Table of C ontents Certain members of our senior management team are responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risks are monitored, implementing appropriate mitigation measures and maintaining our cybersecurity program. Our cybersecurity program is under the direction of our VP of Technology (in coordination with certain members of our senior management team), who receives reports from our information technology team and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents. Certain members of our senior management team are notified as appropriate when the information technology team identifies an emerging risk or material issue. Reporting to our Board of Directors Given the importance of information security and privacy to our stakeholders, our Board of Directors receives an annual presentation from our senior management team discussing our program for managing information security risks, including cyber and data security risks. Our senior management team receives regular reports on our cybersecurity readiness, our risk profile status, our cybersecurity program, material cybersecurity risks and mitigation strategies, third-party assessments of our cybersecurity program and other cybersecurity developments. Our senior management team reports to the Board of Directors and the Audit Committee on such topics, as needed, and at regularly scheduled meetings of the Board of Directors and Audit Committee as part of the business, legal and regulatory update portions of such meetings.

Company Information