Shoals Technologies Group, Inc. 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

Shoals Technologies Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 07:52:53 EST.

Filings

10-K filed on 2026-02-24

Shoals Technologies Group, Inc. filed a 10-K at 2026-02-24 07:52:53 EST
Accession Number: 0001831651-26-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity strategy focuses on striking a balance between data barriers and access, and promoting vigilance among our employees, contractors, and business partners. We monitor and implement procedures, policies, and activities designed to manage our data and to maintain a high level of privacy and security within our systems. In 2025, we continued the development of our enterprise risk program, which integrates cybersecurity. Our cybersecurity processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. We have implemented risk-based controls to protect our information, the information of our customers and other third parties, our information systems, our business operations, and our products and related services. We have an information security risk program that is designed based on the National Institute of Standards and Technology Cybersecurity Framework, industry leading practices, privacy laws and regulations, and other applicable standards and regulations. Our program includes a defense-in-depth approach with multiple layers of security controls, including network segmentation, security monitoring, endpoint protection, and identity and access management, as well as data protection leading practices and data loss prevention controls. Through our cybersecurity program, we continuously monitor cybersecurity vulnerabilities and potential attack vectors, and we evaluate the potential adverse operational and financial effects of a cybersecurity incident. In addition, we maintain specific policies and practices governing our third-party security risks, including our third-party assessment process. Under this assessment process, we gather information from certain third parties who contract with us and share or receive personal identifying and confidential information, to help us assess potential risks associated with their security controls. We also generally require third parties to, among other things, maintain security controls to protect our confidential information and data, the confidential information of our customers, and to notify us of data incidents that may impact our data or data of our customers. We assess the risks from cybersecurity threats that impact select third-party service providers with whom we share personal identifying and confidential information. We continue to enhance our oversight processes for how we identify and manage cybersecurity risks associated with the services we procure from such third parties. Our cybersecurity awareness program includes regular phishing simulations, and quarterly general cybersecurity awareness and data protection training modules for all employees with network access,as well as more contextual and personalized training modules for applicable users and roles. The Company conducts annual internal security audits and vulnerability assessments of the Company's information systems and related controls, including systems that process or store personal data. In addition, we leverage third party cybersecurity specialists to conduct annual external audits and assessments of our cybersecurity program and practices, including our data protection practices, as well as to conduct targeted cyber-attack simulations. We have obtained cybersecurity liability insurance, however, such insurance may not be sufficient to cover all of our potential losses and may not continue to be available to us on acceptable terms, or at all. In 2025, we did not experience, and are not reasonably likely to have experience, a material cybersecurity incident. However, future incidents could have a material impact on our business strategy, results of operations, or financial condition. For additional discussion of the risks posed by cybersecurity threats, see Item 1A. "Risk Factors-The unauthorized access to our information technology systems or the disclosure of personal or sensitive data or confidential information, whether through a breach of our computer system or otherwise, could severely disrupt our business or reduce our sales or profitability" and "Failure of our information technology systems, including those managed by third parties, whether intentional or inadvertent, could lead to delays in our business operations and, if significant or extreme, affect our results of operations." Governance Our board of directors reviews our management of cybersecurity risks, and has delegated to our Audit Committee primary oversight of such risks and the steps our management takes to monitor and control these risks. Our data privacy and security program is overseen by our Vice President of Information Technology ("IT"), who reports to the Board on an annual basis about cybersecurity risks. Our Board also receives quarterly reports about cybersecurity matters and the Company's efforts to prevent, detect, mitigate, and remediate cybersecurity risks. Our Audit Committee also receives regular reports about cybersecurity matters, including cybersecurity threats, and it receives details about any significant cybersecurity incidents. Our Vice President of IT leads our dedicated Information Technology team ("IT team"), which executes our data privacy and information security programs and policies, and our Cyber Incident Response Team ("IRT"), which executes our incident response procedures in the event of a data privacy or security event and conducts annual exercises simulating cybersecurity incidents. The IRT is comprised of internal members from the finance, legal, human resources, and operations departments, and are assisted by external cybersecurity vendors and advisors. The members of our IRT understand the complexities of our business and are experienced in the financial, legal, regulatory and operational consequences of a cybersecurity incident or threat to the Company.

Company Information