CALIFORNIA WATER SERVICE GROUP - (CWT)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.
Governance
The Board and Audit Committee are responsible for overseeing IT and OT risks from cybersecurity threats. The Board recognizes the importance of maintaining the trust and confidence of our customers, employees, and stockholders and the need to protect information stored on our and our vendors' systems, including personal and proprietary data.
Our Senior Vice President of Corporate Services & Chief Risk Officer (SVP & CRO), who reports directly to our Chairman, President & CEO leads a team that is responsible for managing our enterprise-wide information security strategy, policy, standards, architecture, and processes, including the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our SVP & CRO holds a Master’s Degree in Business Administration and a Bachelor’s Degree in Management Information Systems, has over 25 years of information and operational technology experience, is a certified Project Management Professional, and is a Certified Information Security Manager from the Information Systems Audit and Control Association. He served for one year as the President of the Bay Area InfraGard chapter and four years on its Board. InfraGard is a collaboration between the Federal Bureau of Investigation (FBI) and members of the private sector that promotes the protection of U.S. critical infrastructure and enables the exchange of important information. Our Director of IT Security and Chief Information Security Officer (CISO), who reports to the SVP & CRO, has over 25 years of information technology and 15 years of cybersecurity experience and holds a Certified Information Systems Security Professional certification from the International Information System Security Certification Consortium.
The Board and Audit Committee receive regular reports from management no less than quarterly, and on an ad hoc basis, on information and operational technology risks, including cybersecurity and data security risks, as well as on the status of projects to strengthen our information security systems, assessments of our security program, and the emerging threat landscape.
The SVP & CRO receives reports on cybersecurity threats from the CISO who regularly reviews threat intelligence from various sources including the FBI and Department of Homeland Security (DHS). The SVP & CRO, in conjunction with management, also regularly reviews risk management measures implemented by us to identify and mitigate data security and cybersecurity risks. The significance of these threats is assessed by the SVP & CRO and his team and reported, as appropriate depending on the significance, to the Audit Committee.
Risk Management and Strategy
Our cybersecurity risk management approach is informed in part by multiple standards and regulations for cybersecurity and data privacy, including the following:
•National Institute of Standards and Technology (NIST) Cybersecurity Framework
•NIST 800-171 and Cybersecurity Maturity Model Certification (NIST 800-171 CMMC)
•Payment Card Industry Data Security Standard
•California Privacy Rights Act
•Health Insurance Portability and Accountability Act
•Defense Federal Acquisition Regulations Supplement (DFARS)
We regularly assess our adherence to these standards and maintain programs designed to support our compliance with these requirements. External firms audit our compliance with NIST 800-171 CMMC and DFARS every three years. In addition, our cybersecurity processes have been integrated into our overall enterprise risk management system and specific cybersecurity-focused disclosure controls and procedures have been developed. Management continues to support a variety of practices that are intended to align with recognized frameworks and reflect our approach to assess, identify, and manage material risks from cybersecurity threats:
•Incident response: We have adopted a Cybersecurity Incident Response Plan (IRP) that applies in the event of a cybersecurity threat or incident to provide a standardized framework for investigating, containing, documenting, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The IRP applies to all Company personnel and third-party contractors, vendors, and partners that perform functions or services that require access to secure our information, and to all devices and network services that are owned or managed by the Company.
37
•Regular testing: We engage a third-party cybersecurity firm to conduct an annual network penetration test on our corporate and supervisory control and data acquisition networks. The annual penetration test enables us to assess our existing security controls to identify weaknesses and eliminate vulnerabilities to defend against cybersecurity threats proactively. Our Information Technology team also conducts rehearsals of our IRP to test and enhance our ability to respond to cybersecurity incidents.
•Monitoring for risks: We engage a third party cybersecurity firm to manage our Security Operations Center (SOC) who is responsible for monitoring our network traffic 24/7. Our SOC helps to identify and respond to cybersecurity issues in real time by assessing the level of threats and making recommendations on appropriate actions.
•Security controls: We incorporate physical- and software-based preventive, detective, and corrective security controls to prevent or detect unauthorized activities and proactively alert us should an unauthorized activity occur within the organization. Early detection can enable the security team to quickly contain and eradicate the unauthorized activity to reduce the time exposure window and the impact of the incident. Our Security Incident Event Management tool monitors security logs, includes detective controls, and helps to identify irregular activities.
•Detection and preventative technology: We have implemented multiple technologies designed to help protect our systems from cybersecurity threats, including an intrusion prevention system, next-generation antivirus program, end point protection system, and a data loss prevention security tool.
•Regular improvements: We regularly work to enhance our systems and integrate new information and technology to upgrade our systems. We review and approve software and hardware acquisitions to enhance our ability to detect and manage cybersecurity threats. We also engage the FBI, DHS, and Fusion Center for incident response support and collaborate to share critical information.
Management also shares knowledge to protect our infrastructure and learn from recent developments. In addition to InfraGard, our SVP & CRO is a member of The Northern California Regional Intelligence Center, which is part of the California State Threat Assessment System supporting public safety as an intelligence and information sharing nexus in Northern California. Our CISO also actively participates on the Safety and Security Committee of the National Association of Water Companies to collaborate with members of our industry and learn best practices.
Our employees represent the foundation of cybersecurity protection and are a key line of defense, and we seek to strengthen their ability to target risks by proactively training active employees and contractors each year. We update our online security awareness training annually to review key policies and practices for security. To engage our workforce and inform employees of applicable security topics, we provide a monthly internal cybersecurity newsletter. Our monthly campaign on mock phishing emails is designed to serve as a reminder to employees to refrain from clicking on fraudulent emails disguised as safe content. We also assign enhanced cybersecurity training to employees who have access to potentially sensitive governmental information.
In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, but we face certain ongoing cybersecurity risks threats that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, "Risk Factors," under the heading "We rely on our information technology (IT) and a number of complex business systems to assist with the management of our business and customer and supplier relationships, and a disruption of these systems, including from cyber-attacks, could adversely affect our business."