Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
As is the case for all large companies, we are regularly subject to cyberattacks and other cyber incidents and, therefore, cybersecurity occupies a pivotal role within our risk management process. We adhere to a risk-based, multi-layered “defense in depth” approach that is dedicated to the identification, protection, detection, response, and recovery from cyber threats and incidents. We understand that a single technology, process, or business control cannot wholly prevent or mitigate all potential risks. Therefore, we employ a multitude of technologies, processes, and controls, each functioning independently but collectively forming a cohesive strategy aimed at minimizing risk. This strategy is evaluated through various means, such as frequent research and industry security briefings among our information technology group, internal and external audits, independent program assessments, control attestation reports, penetration testing, and other exercises that gauge its effectiveness. Threats and incidents connected with third party service providers are considered and managed under this process as well.
We engage external parties, including consultants, independent privacy assessors, computer security firms and risk management and governance experts, to enhance our cybersecurity oversight. For example, we have engaged an outside consulting firm with expertise in the field to help us assess our systems, monitor risk and implement best practices and to support the internal audit of our cyber security programs and we regularly consult with industry groups on emerging industry trends. In addition, as part of our overall risk mitigation strategy, we also maintain cyber insurance coverage. Our cybersecurity policies, standards and procedures include cyber and data breach response plans, which are periodically assessed against the National Institute of Standards and Technology Cybersecurity Framework.
We do not believe that there are currently any risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or financial condition.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | As is the case for all large companies, we are regularly subject to cyberattacks and other cyber incidents and, therefore, cybersecurity occupies a pivotal role within our risk management process. We adhere to a risk-based, multi-layered “defense in depth” approach that is dedicated to the identification, protection, detection, response, and recovery from cyber threats and incidents. We understand that a single technology, process, or business control cannot wholly prevent or mitigate all potential risks. Therefore, we employ a multitude of technologies, processes, and controls, each functioning independently but collectively forming a cohesive strategy aimed at minimizing risk. This strategy is evaluated through various means, such as frequent research and industry security briefings among our information technology group, internal and external audits, independent program assessments, control attestation reports, penetration testing, and other exercises that gauge its effectiveness. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk. The Audit Committee receives and provides feedback on periodic updates from management regarding cybersecurity. Agendas for quarterly updates are developed and adjusted throughout the year to adapt to any emerging risks or key topics and include, a wide range of information, including the prevailing cybersecurity threat landscape, investments in infrastructure, trainings programs and opportunities for bolstering the security of our company's systems and the protection of our products and operations. The full Board of Directors receives regular reports from the Audit Committee and our management on our cyber security program and the emerging threat landscape.
Our Senior Vice President of Information Technology is responsible for leading our company-wide cybersecurity strategy, policy, standards and processes and together with our whole information technology team works across relevant units of Ameresco. Our Senior Vice President of Information Technology has more than thirty years of experience in cybersecurity and information technology and based on his long career with Ameresco he has a deep understanding of our information technology and business needs and the cyber security opportunities and risks we face.
In actioning our cyber security strategy, our management together with our Senior Vice President of Information Technology evaluate the materiality of any cybersecurity threats and incidents utilizing both qualitative and quantitative considerations. Our internal audit team also provides independent testing on aspects of the operations of our cybersecurity program and the supporting control framework.
Our cybersecurity program is designed to ensure the confidentiality, integrity, and availability of data and systems as well as to ensure timely identification of and response to any incidents. This design is geared toward supporting our business objectives and the needs of our valued customers, employees, and other stakeholders. We firmly believe that cybersecurity is a collective responsibility that extends to every employee, and we prioritize it as an ongoing objective. To increase our employees' awareness
of cyber threats, we provide education and share best practices through a security awareness training program. This includes receiving regular exercises, cyber-event simulations, training programs and an annual attestation to our Technology Acceptable Use Policy.
See “A failure of our information technology (“IT”) and data security infrastructure or cyber or other security incidents, vulnerabilities or other deficiencies, could adversely impact our business, reputation or results of operation or could cause us to default under our contractual obligations.” in Item 1A, Risk Factors.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk. The Audit Committee receives and provides feedback on periodic updates from management regarding cybersecurity. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Agendas for quarterly updates are developed and adjusted throughout the year to adapt to any emerging risks or key topics and include, a wide range of information, including the prevailing cybersecurity threat landscape, investments in infrastructure, trainings programs and opportunities for bolstering the security of our company's systems and the protection of our products and operations. The full Board of Directors receives regular reports from the Audit Committee and our management on our cyber security program and the emerging threat landscape. |
| Cybersecurity Risk Role of Management [Text Block] | The Audit Committee receives and provides feedback on periodic updates from management regarding cybersecurity. Agendas for quarterly updates are developed and adjusted throughout the year to adapt to any emerging risks or key topics and include, a wide range of information, including the prevailing cybersecurity threat landscape, investments in infrastructure, trainings programs and opportunities for bolstering the security of our company's systems and the protection of our products and operations. The full Board of Directors receives regular reports from the Audit Committee and our management on our cyber security program and the emerging threat landscape. |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our Senior Vice President of Information Technology is responsible for leading our company-wide cybersecurity strategy, policy, standards and processes and together with our whole information technology team works across relevant units of Ameresco. Our Senior Vice President of Information Technology has more than thirty years of experience in cybersecurity and information technology and based on his long career with Ameresco he has a deep understanding of our information technology and business needs and the cyber security opportunities and risks we face. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our Senior Vice President of Information Technology has more than thirty years of experience in cybersecurity and information technology and based on his long career with Ameresco he has a deep understanding of our information technology and business needs and the cyber security opportunities and risks we face. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] |
In actioning our cyber security strategy, our management together with our Senior Vice President of Information Technology evaluate the materiality of any cybersecurity threats and incidents utilizing both qualitative and quantitative considerations. Our internal audit team also provides independent testing on aspects of the operations of our cybersecurity program and the supporting control framework.
Our cybersecurity program is designed to ensure the confidentiality, integrity, and availability of data and systems as well as to ensure timely identification of and response to any incidents. This design is geared toward supporting our business objectives and the needs of our valued customers, employees, and other stakeholders. We firmly believe that cybersecurity is a collective responsibility that extends to every employee, and we prioritize it as an ongoing objective. To increase our employees' awareness
of cyber threats, we provide education and share best practices through a security awareness training program. This includes receiving regular exercises, cyber-event simulations, training programs and an annual attestation to our Technology Acceptable Use Policy.
See “A failure of our information technology (“IT”) and data security infrastructure or cyber or other security incidents, vulnerabilities or other deficiencies, could adversely impact our business, reputation or results of operation or could cause us to default under our contractual obligations.” in Item 1A, Risk Factors.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |