Table of Contents These provisions in our certificate of incorporation, our bylaws and under Delaware law could discourage potential takeover attempts, reduce the price that investors might be willing to pay for shares of our common stock in the future and result in the market price being lower than it would be without these provisions. Item 1B. Unresolved Staff Comments None. Item 1C. Cybersecurity Risk management and Strategy We rely on information technology and data to operate our business and develop, market and deliver our products and services to our customers. Our critical information technology includes certain computer networks, third-party hosted services, communications systems, software, personal computers and servers (collectively, “Information Technology"), and our critical data includes certain confidential, personal, proprietary and sensitive data (collectively “Confidential Data”). Accordingly, we maintain risk assessment processes designed to identify cybersecurity threats relating to such Information Technology and Confidential Data, and assess potential material impact to our business that may result from such threats. Based on our assessment, we implement and maintain risk management processes designed to protect the confidentiality, integrity and availability of our Information Technology and Confidential Data and mitigate material harm to our business. We identify such threats by, among other methods, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting threat assessments for internal and external threats, and conducting vulnerability assessments. In the event a threat results in a cybersecurity incident, we have a process for escalating certain cybersecurity incidents from our security team up through our security leadership and ultimately to management. Based on our risk assessment process, we implement and maintain various technical, physical and organizational processes designed to manage and mitigate cybersecurity risks that could affect our Information Technology and Confidential Data, and potential material impacts that may result from such risks. We have implemented measures designed to prevent, detect, respond to, mitigate and recover from identified and significant cybersecurity threats. The cybersecurity risk management processes we maintain for our Information Technology and Confidential Data, depending on the particular environment and system processes, are designed to address cybersecurity threats; incident response; vulnerability management; business continuity; incident detection and response; internal and external evaluations to assess our exposure to cybersecurity threats, environment, compliance with risk mitigation procedures, and effectiveness of relevant controls; documented risk assessments; encryption of data; network security; threat modeling; physical and electronic access; physical security; asset management, tracking and disposal; systems monitoring; vendor risk management; employee security training; penetration testing; cyber insurance; and the maintenance of a dedicated cybersecurity team. To operate our business, we utilize certain third-party service providers to perform a variety of functions and provide certain security-related services, such as outsourced business critical functions, professional services, SaaS platforms, managed services, cloud-based infrastructure, data center facilities, content delivery to customers, encryption and authentication technology, corporate productivity services, and other functions; as well as third parties that assist us to identify, assess and manage cybersecurity risks, including professional services firms, threat intelligence service providers, cybersecurity software providers, penetration testing firms and other vendors that help to identify, assess or manage cybersecurity risks. For certain vendors, our vendor management process includes evaluating the cybersecurity practices of such provider and contractually imposing obligations on the provider related to the services they provide and/or the information they process. For a description of the risks from cybersecurity threats that may materially affect the company and how those risks may affect the company, please refer to Part I, Item 1A. Risk Factors—Risks Related to our Intellectual Property and Technology of this Annual Report on Form 10-K for additional information about cybersecurity-related risks. Enphase Energy, Inc. | 2023 Form 10-K | 45