Global Water Resources, Inc. - (GWRS)

10-K Filing Date: March 07, 2024
ITEM 1C.CYBERSECURITY

Rapidly evolving threats to the cybersecurity landscape necessitate ongoing efforts to manage the risk of unauthorized access to the Company’s information systems and devices, including those of the Company and of third-party providers. The Company is subject to laws and rules issued by multiple government agencies concerning safeguarding and maintaining the confidentiality of our security, customer, and business information. The company employs various aspects of risk assessment regularly, and to the extent possible, continuously. Further, the Company uses a defense in depth, or layered, approach to strengthen the security environment and mitigate the impact of any potential threats. Cybersecurity risks are strategically managed under the leadership of the Vice President, IT Operations and Security, who has achieved preeminent certification as a Certified Information Security Manager (CISM) and Certified Cloud Security Professional (CCSP) and has served as the most senior IT resource in many different roles.

Management regularly assesses new and emerging risks by keeping apprised of current events and actual or anticipated threats within the industry and the overall security environment, which is used along with a risk-based approach to plan and implement changes or improvements to the security environment. The Company has engaged independent experts to assess the security environment for potential vulnerabilities or weaknesses and has plans for future engagements periodically to supplement the expertise and processes established within the Company. Thorough updates are provided to the board of directors quarterly by the Vice President, Information Technology (IT) Operations and Security. The directors may ask questions or engage in further discussion related to the security environment.

Employees are one of our most valuable resources and it is essential that education, particularly related to social engineering, is persistent and relevant. The Company requires ongoing cybersecurity awareness training for all employees, including weekly simulated emails to test the knowledge and reaction of employees. The training is, customized based on actual events or anticipated emerging threats, keeping the education applicable and purposeful.

The Company utilizes various continuous monitoring methods for identification and notification of attempted unauthorized system access. Tools deployed throughout the Company track these attempts allowing for trend analysis and strategic adaptation. The Company has also established an incident response policy that thoroughly and systematically documents the Company’s response and assigns responsibility to facilitate timely, organized and appropriate action during a security event or incident, including assessment of the impact and materiality of the event or incident. Incident management is led by the
-36-

Table of Contents
Security Incident Response Team, under the primary leadership of the Vice President, IT Operations and Security, in which the process is categorized by the detection, analysis, containment, eradication and recovery phases and is inclusive of post-incident activities.

In the regular course of our business, the Company manages a range of sensitive security, customer, and business systems information. A security breach of our information systems such as theft or the inappropriate release of certain types of information, including confidential customer, employee, financial or system operating information, could have a material adverse impact on our financial condition, results of operations or cash flows. The Company operates in a highly regulated industry that requires the continued operation of sophisticated information technology systems and network infrastructure. Despite implementation of security measures, the technology systems are vulnerable to disability, failures or unauthorized access. Facilities, information technology systems and other infrastructure facilities and systems and physical assets could be targets of such unauthorized access. Failures or breaches of our systems could impact the reliability of systems and also subject the Company to financial harm. If the technology systems were to fail or be breached and if the Company is unable to recover in a timely way, fulfilling critical business functions and sensitive confidential data could be compromised, which could have a material adverse impact on the Company’s financial condition, results of operations or cash flows.

The Company has experienced, and expects to continue experiencing, these types of threats and attempted intrusions. The implementation of additional security measures could increase costs and have a material adverse impact on the Company’s financial results. Cyber insurance has been obtained to provide coverage for a portion of the losses and damages that may result from a security breach of information technology systems, but such insurance may not cover the total loss or damage caused by a breach. In addition, all costs of responding to and recovering from a cyber incident may not be covered by insurance. These types of events could also require significant management attention and resources, and could adversely affect the Company’s reputation with customers and the public.

As operators of critical infrastructure, the Company may face a heightened risk of cyberattacks from internal or external sources. Unauthorized access to confidential information located or stored on these systems could negatively and materially impact customers, employees, suppliers and other third parties. Further, third parties, including vendors, suppliers and contractors, who perform certain services or administer and maintain our sensitive information, could also be targets of cyberattacks and unauthorized access. While the Company has instituted safeguards to protect the information technology systems, those safeguards may not always be effective due to the evolving nature of cyberattacks and cyber vulnerabilities. The Company cannot guarantee that such protections will be completely successful in the event of a cyberattack.

If the information technology systems, or that of third parties on which the Company relies, are affected by a significant cyber breach, this could result in, among other things, a significant disruption to operations; costly investigations and remediation; misappropriation of confidential information of the Company or that of customers, employees, business partners or others; litigation and potential liability; enforcement actions and investigations by regulatory authorities; loss of customers and contracts; harm to reputation; and a loss of management time, attention and resources from regular business operations, any of which could have a negative impact on business, results of operations, and cash flows. As previously discussed, the Company is subject to laws and rules issued by multiple government and private agencies concerning safeguarding and maintaining the confidentiality of our security, customer, and business information. The increasing promulgation of rules and standards will increase our compliance costs and our exposure to the potential risk of violations of the standards.



Table of Contents