Array Technologies, Inc. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Array Technologies, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 17:21:25 EST.

Filings

10-K filed on 2026-02-25

Array Technologies, Inc. filed a 10-K at 2026-02-25 17:21:25 EST
Accession Number: 0001820721-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our commercial success depends on developing, implementing, and maintaining robust cybersecurity measures to safeguard our information technology systems and protect the confidentiality, integrity and availability of our data. Accordingly, we have adopted processes designed to identify, assess and mange material risks from cybersecurity threats. Managing Material Risks & Integrated Enterprise Risk Management We continue to strategically integrate cybersecurity risk management into our broader enterprise risk management program to promote a company-wide culture of cybersecurity risk management. Our enterprise risk management project team is working closely with our IT department to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs while building out a framework to monitor those risks and integrate objectives into our broader strategic plan. Engaging Third Parties on Risk Management Given the complexity and evolving nature of cybersecurity threats, we have engaged a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating, testing, and improving our risk management systems. These partnerships enable us to leverage specialized knowledge and insights and includes regular evaluations, threat assessments, and consultation on security enhancements. Overseeing Third Party Risk The need to govern third party business partners poses significant challenges, and as a result we have implemented processes to oversee and manage these risks. Our procedures contemplate conducting security assessments of all third-party software vendors that are proportional to the risks present, ideally before or soon after engagement, and periodically thereafter, in order to mitigate risks related to data breaches or other cybersecurity incidents originating from third parties. Risks from Cybersecurity Threats We are not aware of any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. However, we cannot assure that our business strategy, results of operations and financial condition will not be materially affected in the future by cybersecurity risks or future cybersecurity incidents. 41 Governance Our board of directors is aware of the critical nature of managing risks associated with cybersecurity threats. In recognition of the significance of these threats to our operational integrity and shareholder confidence, our board of directors has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats. Board of Directors Oversight The Nominating and Corporate Governance Committee of our board of directors bears primary responsibility for the oversight of cybersecurity risks. The Nominating and Corporate Governance Committee was briefed on cybersecurity risks and any material cybersecurity incidents four times in 2025 by our Chief Information Officer and our Chief Financial Officer, as further described below. The Nominating and Corporate Governance Committee is composed of directors equipped with diverse skills needed to oversee the difference facets of cybersecurity risks effectively, including risk management, public company leadership, innovation and technology, corporate governance and finance. Management's Role Managing Risk The Chief Information Officer and the Chief Financial Officer are responsible for updating the Nominating and Corporate Governance Committee on cybersecurity risks and our mitigation strategies. They provide regular updates to the Nominating and Corporate Governance Committee, as well as comprehensive briefings at least once per year and appropriate briefings during any potentially material cybersecurity incident. These briefings encompass a broad range of topics, including: - results of internal assessments and evaluations by third parties; - the current cybersecurity landscape and emerging threats; - the status of ongoing cybersecurity initiatives and strategies; - incident reports and lessons learned from any cybersecurity events; and - compliance with regulatory requirements and industry standards. In addition to regular scheduled meetings, the Nominating and Corporate Governance Committee, our Chief Information Officer and our Chief Financial Officer maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive periodic updates on significant developments in the cybersecurity landscape to support proactive and responsive board oversight. The Nominating and Corporate Governance Committee actively participates in strategic decisions related to cybersecurity, reviewing and offering guidance on major initiatives and any potentially material cybersecurity incident. This involvement ensures that cybersecurity considerations are integrated into our broader strategic objectives. Risk Management Personnel Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our Chief Information Officer. Our Chief Information Officer has managed cybersecurity and information security at Array for the past six years and has over 15 years of total experience as an information technology executive for publicly listed companies. Our Chief Information Officer holds B.S. degrees in finance and computer science from Arizona State University as well as a M.B.A. from Western International University. He manages a team with over 40 years of combined experience in cybersecurity. Our Chief Information Officer reports to our Chief 42 Financial Officer, and both are responsible for updating the Chief Executive Officer, the Nominating & Corporate Governance Committee, and our board of directors on cybersecurity issues. Ongoing Education and Monitoring The Chief Information Officer leads our cybersecurity team, which remains current with the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing education is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The Chief Information Officer implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system evaluations, including penetration testing, to identify potential vulnerabilities. In the event of a cybersecurity incident, we are equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Reporting to the Board of Directors The Chief Information Officer regularly informs the Chief Financial Officer and Chief Executive Officer of all significant aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential significant risks facing the Company. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Nominating and Corporate Governance Committee of our board of directors and, in certain cases, the board itself, ensuring that they have comprehensive oversight and can provide guidance on any potentially material cybersecurity incident.

Company Information