|
Table of Contents
<br />accordance with applicable securities laws and regulatory limitations. We may reduce or eliminate our share repurchase program in the future. The reduction or elimination of
<br />our share repurchase program, particularly if we do not repurchase the full number of shares authorized under the program, could adversely affect the market price of our
<br />common stock.
<br />Item 111. Unresolved Staff Comments
<br />None.
<br />Item 1C. Cybersecurity
<br />Information Technology and Cybersecurity Risk Management
<br />As is the case for all large companies, we are regularly subject to cyberattacks and other cyber incidents and, therefore, cybersecurity occupies a pivotal role within our risk
<br />management process. We adhere to a risk -based, multi -layered "defense in depth" approach that is dedicated to the identification, protection, detection, response, and recovery
<br />from cyber threats and incidents. We understand that a single technology, process, or business control cannot wholly prevent or mitigate all potential risks. Therefore, we
<br />employ a multitude of technologies, processes, and controls, each functioning independently but collectively forming a cohesive strategy aimed at minimizing risk. This strategy
<br />is evaluated through various means, such as frequent research and industry security briefings among our information technology group, internal and external audits,
<br />independent program assessments, control attestation reports, penetration testing, and other exercises that gauge its effectiveness. Threats and incidents connected with third
<br />party service providers are considered and managed under this process as well.
<br />We engage external parties, including consultants, independent privacy assessors, computer security firms and risk management and governance experts, to enhance our
<br />cybersecurity oversight. For example, we have engaged an outside consulting firm with expertise in the field to help us assess our systems, monitor risk and implement best
<br />practices and to support the internal audit of our cyber security programs and we regularly consults with industry groups on emerging industry trends. In addition, as part of our
<br />overall risk mitigation strategy, we also maintain cyber insurance coverage. Our cybersecurity policies, standards and procedures include cyber and data breach response plans,
<br />which are periodically assessed against the National Institute of Standards and Technology Cybersecurity Framework.
<br />We do not believe that there are currently any risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or
<br />financial condition.
<br />Cybersecurity Governance and Oversight
<br />The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk. The Audit Committee receives and provides feedback on periodic updates
<br />from management regarding cybersecurity. Agendas for quarterly updates are developed and adjusted throughout the year to adapt to any emerging risks or key topics and
<br />include, a wide range of information, including the prevailing cybersecurity threat landscape, investments in infrastructure, trainings programs and opportunities for bolstering
<br />the security of our company's systems and the protection of our products and operations. The full Board of Directors receives regular reports from the Audit Committee and our
<br />management on our cyber security program and the emerging threat landscape.
<br />We have a Senior Vice President of Information Technology whose team is responsible for leading company -wide cybersecurity strategy, policy, standards and processes and
<br />works across relevant units of Ameresco. Our Senior Vice President of Information Technology has more than thirty years of experience in cybersecurity and information
<br />technology and based on his long career with Ameresco he has a deep understanding of our information technology and business needs and the cyber security opportunities and
<br />risks we face.
<br />In actioning our cyber security strategy, our management together with our Senior Vice President of Information Technology evaluate the materiality of any cybersecurity
<br />threats and incidents utilizing both qualitative and quantitative considerations. Our internal audit team also provides independent testing on aspects of the operations of our
<br />cybersecurity program and the supporting control framework.
<br />Our cybersecurity program is designed to ensure the confidentiality, integrity, and availability of data and systems as well as to ensure timely identification of and response to
<br />any incidents. This design is geared toward supporting our business objectives and the needs of our valued customers, employees, and other stakeholders. We firmly believe that
<br />cybersecurity is a collective responsibility that extends to every employee, and we prioritize it as an ongoing objective. To increase our employees' awareness of cyber threats,
<br />we provide education and share best practices through a security awareness training program. This includes receiving regular exercises, cyber-event simulations, training
<br />programs and an annual attestation to our Technology Acceptable Use Policy.
<br />25
<br />
|