Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

Our cybersecurity strategy emphasizes detection, analysis and recovery of cybersecurity threats, while increasing our resiliency against cybersecurity incidents and effective management of the cybersecurity risks and events. These processes apply equally to the protection of our generation projects as well as to our organizational network.

Our cybersecurity risk management processes include two policies that we have adopted: a Cybersecurity Events Response Policy and an Information Security Policy (collectively, our Cybersecurity Policy). Other elements of our cybersecurity risks management include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats.

As part of our risk management procedures, we conduct regular risk assessments of our various information systems to identify, document and mitigate cybersecurity risks. For high-risk systems, risk surveys and penetration tests are conducted at least annually and following a major system change or data breach event. Other systems are tested at different time periods according to their sensitivity. These regular risk assessments are conducted either internally or by qualified third party service providers. In addition, from time to time, the Israeli Ministry of Energy reviews our network vulnerability to cybersecurity risks and provides us with comments on how to improve such network.

Exposure of external parties to Company data and systems is minimized and made on a “need to know” basis. Any communication with an external party involving exposure to sensitive Company information is based on an appropriate preliminary risk assessment process.

Employees receive information security training upon hiring and at least twice a year, with additional dedicated training for employees with access to sensitive Company systems and information. Employees are required to complete the training through education software and we monitor completion. In addition, employees and third-party contractors sign non-disclosure agreements to protect the confidentiality of our information.

136

We also leverage partnerships, industry and government associations, third-party benchmarking, the results from regular internal and third-party audits, threat intelligence feeds, and other similar resources to inform our cybersecurity processes and allocate resources.

We entered into an agreement with Astoria Cyber Ltd., which specializes in the protection of critical infrastructure, to assess cybersecurity risks at the Company's renewable energy facilities worldwide and to make recommendations regarding, implement and manage our ongoing defensive measures against cybersecurity threats.

The cybersecurity risk management methodology we employ to protect our renewable energy facilities was developed and implemented in accordance with guidelines from the Israeli Ministry of Energy, while at the same time considering international standards. We believe that we are in substantial compliance with the NIS2 Directive, an EU-wide legislation on cybersecurity that came into effect in 2023, and our defensive measures we take are compliant with the specific requirements of each country in which we operate.

We maintain security programs that include physical, administrative and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent and timely and effectively respond to cybersecurity threats or incidents. Through our cybersecurity risk management process, we regularly monitor cybersecurity vulnerabilities and potential attack vectors to Company systems as well as our projects and services, and we evaluate the potential operational and financial effects of any threat and of cybersecurity countermeasures made to defend against such threats.

Our Cybersecurity Policy is overseen by our board of directors and provides central, standardized frameworks for identifying, mitigating and reporting cyber-related business and compliance risks across the Company. Risks from cybersecurity threats to our projects are also overseen by management. In addition, we periodically engage third-party consultants to assist in assessing, enhancing, implementing and monitoring our cybersecurity risk management programs and responding to any incidents.

We have implemented a requirement from our suppliers to adopt security-control principles based on industry-recognized standards, and we believe that our suppliers are materially meeting our cyber requirements as well as regulatory requirements.

As our portfolio of projects increased in size over the last few years, the scope of our technology has similarly increased, and we have had to improve and expand our IT defensive infrastructure. For example, in 2024 we enhanced the security of our corporate servers, added Multi-Factor Authentication to our Virtual Private Networks, implemented a Network Access Control solution and connected our office network to a specified SIEM/SOC service.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

As of the date of this Annual Report, cybersecurity incidents we have experienced have not materially affected our business strategy, results of operations or financial condition.

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Our board of directors has overall responsibility for risk oversight, with its committees assisting the board in performing this function based on their respective areas of expertise. Our board of directors has delegated oversight of risks related to cybersecurity to our audit committee.

137

With the assistance of the audit committee, our board of directors oversees our cybersecurity and ensures that we adequately address and mitigate the evolving cybersecurity threats we face. The board’s responsibilities include setting the overall cybersecurity strategy, assessing risks and providing oversight to ensure our resiliency against cybersecurity threats. The key aspect of the board’s role is to remain updated and make determinations on the following topics:

•

Cybersecurity Policy development and approval,

•

Risk management,

•

Budgetary approval,

•

Leadership and culture,

•

Compliance oversight,

•

Crisis management and

•

Continuous improvement.

Mrs. Michal Ma’aravi, our Chief Information Systems Officer, or CISO, is responsible for overseeing the implementation of our Cybersecurity Policy. Ms. Ma’aravi has served as our CISO since 2022 and has completed a 300-hour training program for CISOS.

Our CISO provides presentations to the audit committee on cybersecurity risks on an annual basis. These briefings include assessments of cybersecurity risks, the threat landscape, updates on incidents and reports on our investments in cybersecurity risk mitigation and governance. In addition, in cases of cybersecurity events, the CISO will report to our chief operating officer who will update our chief executive officer. In each such case the IT team will review the incident and suggest a remediation plan.

In addition, in the event of a potentially material cybersecurity event, the chair of the audit committee is notified and briefed, and meetings of the audit committee and/or full board of directors would be held, as appropriate.

The audit committee and/or the Chief Executive Officer brief the full board on cybersecurity matters discussed during audit committee meetings, and the CISO provides periodic briefings to the board on information technology and data analytics related matters, including cybersecurity.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

•

Cybersecurity Policy development and approval,

•

Risk management,

•

Budgetary approval,

•

Leadership and culture,

•

Compliance oversight,