YORK WATER CO - (YORW)
10-K Filing Date: March 05, 2024
Item 1C.
Cybersecurity.
Risk Management and Strategy
The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard its information systems and protect the confidentiality, integrity, and availability of its data.
Managing Material Risks & Integrated Overall Risk Management
The Company embraces risk management across the company, to include cybersecurity risk. This comprehensive approach ensures that cybersecurity considerations are an integral part of its decision-making processes at every level. The Company’s risk management team works closely with its IT department to continuously evaluate and address cybersecurity risks in alignment with its business objectives and operational needs.
Engage Third Parties on Risk Management
To address the evolving nature and complexity of cybersecurity threats, the Company engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing its risk management systems. These partnerships enable the Company to leverage specialized knowledge and insights with respect to its cybersecurity strategies and processes. The collaboration with these third parties includes regular audits, threat assessments, penetration testing, and consultation on security enhancements.
Oversee Third-party Risk
The Company recognizes that cybersecurity threats and risks are amplified with the addition of third-party digital service providers. In response, the Company implements stringent processes to oversee and manage these risks. It conducts thorough security assessments of all third-party providers before engagement and maintains ongoing monitoring to ensure compliance with its cybersecurity standards. This process is also intended to provide for the security and integrity of the Company’s data that may be stored on third-party systems. The monitoring includes quarterly assessments made by the contracted Chief Information Officer, or CIO, and on an ongoing basis by its dedicated cybersecurity staff. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
Identified Material Risks
To date, the Company has not encountered cybersecurity challenges, risks, or breaches that have materially impaired its business strategy, operations, or its financial standing.
Board of Directors Oversight of Cybersecurity Material Risks – Governance
The Board of Directors, or the Board, is keenly aware of the critical nature of cybersecurity risks, particularly in its business as a public utility providing a life sustaining product. The Board, in partnership with the Executive team, has created a robust cybersecurity program, with meaningful oversight measures and tools for tracking and managing cyber risks and threats. The Company understands the importance of its product and services to the communities that it serves and is dedicated to maintaining high stakeholder confidence in its operations.
Board Oversight
The Audit Committee is the lead Board committee with oversight of the cybersecurity program and bears the primary responsibility for this aspect of the business. The Audit Committee is comprised of Board members with diverse professional backgrounds, such as accounting/finance, utility security, risk management, and business performance integration. The breadth of experience in this Committee enables it to be the most appropriate lead in oversight of cybersecurity risks and capability.
Page 8
Management Role
The Chief Administrative Officer and General Counsel has primary oversight of the IT Department and the cybersecurity program, with a direct reporting relationship to the President and Chief Executive Officer. The Chief Administrative Officer and General Counsel also reports to the Audit Committee at least two times per calendar year and presents a report to the Board at least once per calendar year. These briefings include both educational and program status information, including:
• | Current cybersecurity risks, including qualitative rating based upon underlying objective measures; |
• | Status of ongoing cybersecurity initiatives and strategies; |
• | Incident and response reports and lessons learned from any cybersecurity event; and |
• | Compliance report with regulatory requirements and industry standards. |
In addition to scheduled presentations described above, the IT Department contracted CIO, the Chief Administrative Officer and General Counsel, and the President and Chief Executive Officer maintain constant dialogue regarding emerging or potential cybersecurity risks and threats. The Chief Administrative Officer and General Counsel is in regular contact with the Audit Committee Chair related to these risks so that the oversight by the Board can be both proactive and responsive. The Audit Committee has the authority to actively participate in strategic decisions related to cybersecurity and offers guidance and approval for major initiatives. As a result, cybersecurity considerations can be integrated into the foundation of broader corporate objectives. The Audit Committee and the Board conduct an annual review of the Company’s cybersecurity risk position and the effectiveness of its risk management strategies and measures. From this review at the Board level, the Company is able to identify areas where there exist improvement opportunities and can set goals for the following year.
Risk Management Personnel
Primary responsibility for assessing, monitoring, and managing cybersecurity risks rests with the CIO, who has oversight over the IT Department, including one dedicated cybersecurity staff person and select specialized contractors. This group of contractors includes a Chief Information Security Officer, Chief Technology Officer, Cybersecurity Analysts, Network Engineers, and Network Administrators.
Monitor Cybersecurity Risks
The cybersecurity team actively monitors for cybersecurity risks by employing the use of endpoint detection and response solutions with immediate alert notifications, vulnerability scanning solutions that proactively identify risks, and by monitoring the logs of network devices.
Reporting to the Board
The Chief Administrative Officer and General Counsel has primary responsibility to report to the President and Chief Executive Officer and to the Board and presents with the CIO where appropriate for the content of the presentation and/or to facilitate a substantive discussion. The CIO, through the Chief Administrative Officer and General Counsel, ensures that the highest levels of the Company remain informed about the cybersecurity posture, potential risks, events, and response if they occur. Material cybersecurity matters, and significant strategic risk management processes and decisions are elevated to the Board by the Chief Administrative Officer and General Counsel, ensuring that the Board has effective and substantive oversight and may provide input and guidance on critical cybersecurity measures and issues.
Page 9