PNM RESOURCES INC - (PNM)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Process for identifying, assessing, and managing cybersecurity risks
From an overall enterprise risk management perspective, the Company views cybersecurity as a “tier 1” risk and considers it one of its top priorities. The Company’s cybersecurity program (the “Cybersecurity Program”) includes processes to identify, assess, and manage material risks from cybersecurity threats. The Cybersecurity Program utilizes a risk-based approach and includes written cybersecurity and information technology policies and procedures, including a cybersecurity incident response plan. The Company’s Cybersecurity Program is led by its Vice President and Chief Information Officer (“CIO”), who oversees the management and development of all business technology and security for the Company and its subsidiaries. The CIO is also responsible for federal reliability standards compliance, critical infrastructure protection and the supply chain function.
The Cybersecurity Program is a robust, enterprise-wide, risk-based security program that adheres to the guidelines of the National Institute of Science and Technology (“NIST”) Cybersecurity Framework for Protecting Critical Infrastructure to define material risks and establish controls designed to protect, detect, respond to, and recover from cybersecurity incidents. To protect the most critical systems, the Company also complies with the NERC Critical Infrastructure Protection Standards.
The Company regularly assesses control results through third party audits, penetration tests and internal assessments to continuously improve cyber protections and data privacy controls. The Company partners with government and industry peers in several cybersecurity programs to share information and provide mutual assistance in the event of a cyber-attack. Supply chain risk of third-party suppliers is also assessed as part of the procurement process and incorporates cybersecurity contractual stipulations in its supplier contracts. The Company remains focused on increasing cybersecurity awareness and is continuously evaluating and implementing effective, up-to-date technologies and processes to enhance its cybersecurity capabilities.
The Company engages in the periodic assessment and testing of the Company’s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities,
A - 21
including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of the Company’s cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on the Company’s cybersecurity measures, including information security maturity assessments, audits and independent reviews of the Company’s information security control environment and operating effectiveness. The results of such assessments, audits, and reviews are reported to the Audit and Ethics Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits, and reviews.
Risks from cybersecurity threats
The information set forth under Item 1A, “Risk Factors” — “PNMR, PNM, and TNMP are subject to information security breaches and risks of unauthorized access to their information and operational technology systems as well as physical threats to assets.” on page A-16 of this Annual Report on Form 10-K is hereby incorporated by reference. As of December 31, 2023, our financial condition, results of operations or business strategy have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents.
Cybersecurity Governance
Management’s role in assessing and managing the Company’s material risks from cybersecurity threats
The Company’s management is responsible for managing cybersecurity risk and bringing to the Audit and Ethics Committee and Board’s attention the most significant cybersecurity risks facing the Company. The CIO oversees the Company’s Cybersecurity Program and reports to the Company’s President and Chief Operating Officer. The CIO leads the development, implementation, and enforcement of security policies and data breach resiliency plans, as well as works with internal and external cybersecurity and IT teams to monitor and maintain the security of the Company’s IT infrastructure. The CIO is supported by a team of enterprise information, system security, and risk professionals. The CIO receives reports on cybersecurity threats on an ongoing basis and regularly reviews risk management measures implemented by the Company to identify and mitigate data security and cybersecurity risks. The CIO updates senior management on these matters and works closely with the General Counsel to oversee compliance with legal, regulatory, and contractual security requirements. The CIO has significant information technology and program management experience and has served many years in the Company’s information security organization. The CIO is a Certified Information Systems Security Professional, Certified Information Systems Auditor and Certified Information Security Manager. In addition, the CIO has a M.S. in Information Systems.
Board oversight of risks from cybersecurity threats
Cybersecurity risk oversight remains a priority for the Board who is responsible for oversight of the Company’s information security program, including compliance and risk management and the review of cybersecurity risks. The Board has adopted a Cyber Risk Policy which is overseen by the Audit and Ethics Committee. The Audit and Ethics Committee’s oversight of cyber risk management assists in the Board’s assessment of the adequacy of resources, funding, and focus within the Company with respect to cyber risk. Specifically, the Audit and Ethics Committee assists the Board in its oversight responsibilities regarding the company-wide security risk management practices, including overseeing the practices, procedures, and controls that management uses to identify, assess, respond to, remediate, and mitigate risks related to cybersecurity. The Audit and Ethics Committee provides oversight of management’s efforts to identify and mitigate cyber risk. Specifically, senior leadership, including the CIO, regularly briefs the Audit and Ethics Committee and the Board on Company’s cybersecurity posture. In executing its risk oversight duties, the Audit and Ethics Committee and the Board can and does access internal and external expertise regarding the Company’s challenges and opportunities related to cybersecurity