There have been an increasing number of cyberattacks on companies around the world, which have caused operational failures, compromised sensitive corporate or customer data, and/or resulted in significant financial damages. These attacks have occurred over the internet, through malware, viruses or attachments to e-mails, or through inside actors with access to systems within the organization.

Risk Management and Strategy

We have implemented security measures and will continue to devote resources to address security vulnerabilities in an effort to prevent cyberattacks. All employees receive cybersecurity training and other education regarding their use of computers, information technology, and sensitive data. We utilize third parties to support our information technology, or IT, resources, including disaster recovery intended to safeguard our ability to access and use our IT resources during a disaster or cyber incident. Our business continuity plans are evaluated against evolving security and service level standards, which includes evaluating those cybersecurity threats associated with our use of key third party service providers.

Our cybersecurity management process consists of utilizing a combination of employee education, preventative controls, detective controls, and periodic third-party cybersecurity testing. We have installed and utilize enterprise scale technology to support an appropriate cybersecurity posture including: endpoint detection and response, firewalls, security information and event management, email security, multifactor authentication, and vulnerability management. We receive cybersecurity related alerts from our membership in a number of industry groups. These alerts are evaluated and in the event an alert requires action within our environment, such actions are taken promptly. Our process and cybersecurity posture is refined based on the results of periodic third party cybersecurity assessments. We engage with the Cybersecurity and Infrastructure Security Agency through their cyber hygiene service offerings. Cybersecurity is addressed in IT’s reports to the Corporate Automation Steering Committee, which consists of all Officers and the Director of Customer Service, as well as in IT’s reports to the Board of Directors. Should a cyber event occur, depending on the severity of an event, our cyber incident reporting process includes informing, as early as practicable, our senior corporate management.

Governance

The Audit Committee of the Board of Directors, as overseen by the full Board of Directors, is responsible for oversight of cybersecurity risk. Our IT executives report on our cybersecurity practices and risks at each meeting of the Audit Committee of our Board of Directors. In addition, our IT executives provide periodic updates on cybersecurity risks to our management at regularly held executive committee meetings. Should any cybersecurity threat or incident be detected, our IT executives would timely report such threat or incident to the management executive committee and provide regular communications and updates to the executive committee throughout the incident and any subsequent investigation, in order that the impact, materiality, and reporting requirements of such incident are appropriately identified and assessed for further necessary or appropriate action to be taken. Any incident identified by the management executive committee as having a material impact would be promptly escalated to all members of the Board of Directors. Should there be an incident which does not rise to the level of being material, such incident would, at minimum, be included in the subsequent IT reports to both the management executive committee and the Board of Directors.

We believe we are appropriately staffed to support a healthy cybersecurity posture. All IT personnel have a combination of professional experience, education, and/or certifications for their area of responsibility. For IT leadership, our Chief Information Officer earned a Masters of Business Administration and also a Master of Science degree in Information Systems & Technology Management. Our Vice President of Information Technology earned a Bachelor of Science in Computer Science and Business and a Bachelor of Science in Business and Economics. The Vice President of Information Technology is also a Certified Public Accountant, a Certified Information Systems Auditor, and a Chartered Global Management Accountant. Our Director of Cybersecurity earned an Associates Degree in Computer Network Engineering and is a Certified Information Systems Security Professional.

To date, there have been no risks identified from cybersecurity threats or previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the company. However, despite all of the above aforementioned efforts, a cyberattack, if it occurred, could cause water or wastewater system operational problems, disrupt service to our customers, compromise important data or systems or result in an unintended release of customer or other confidential information. See “Item 1A. Risk Factors—Risks Related to Cybersecurity and Technology” for additional discussion of cybersecurity risks impacting our Company.