HAWAIIAN ELECTRIC CO INC - (HAWEL)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity risk oversight and management is a critical component of the Company’s overall enterprise risk management and top priority for the Company and its Board of Directors. The Company’s Board of Directors have delegated management of Enterprise Risk Management, which includes cybersecurity, to the HEI/Hawaiian Electric Audit and Risk Committees and ASB Risk Committees (collectively, the ARCs). The ARCs exercise their oversight responsibility of cybersecurity through quarterly (or more frequently if necessary) cybersecurity risk updates and incidents, if any, by management (primarily the Utilities’ Chief Information Security Officer and Chief Information Officer, and the ASB Director, Information Security). In early 2023, in recognition of the increased cybersecurity threats and heightened cybersecurity risks facing the Company, the ARCs formed the Cybersecurity Working Group (CWG) comprised of three directors, one from each of the Company’s Board of Directors. The purpose of the CWG is to oversee and conduct periodic meetings with management to discuss cyber risk, risk treatment, and operational activities relative to cyber risk treatment and to report matters to the ARCs. The CWG also evaluates cybersecurity areas highlighted by the ARCs including areas the CWG deems higher risk or topical and reports back to the ARCs on a quarterly basis. The CWG also coordinates with the Company’s management on semi-annual trainings and annual tabletop exercises for the Board of Directors.
Electric utility
System overview. The Utilities rely on evolving and increasingly complex operational and information systems, networks and other technologies, which are interconnected with the systems and network infrastructure owned by third parties, to support a variety of business processes and activities, including procurement and supply chain, invoicing and collection of payments, customer relationship management, human resource management, the acquisition, generation and delivery of electrical service to customers, and to process financial information and results of operations for internal reporting purposes and to comply with regulatory, financial reporting, legal and tax requirements. The Utilities use their systems and infrastructure to create, collect, store, and process sensitive information, including personal information regarding customers, employees and their dependents, retirees, and other individuals.
Risk management and strategy. The Utilities have a cybersecurity program in place, which is integrated into the overall risk management program and includes a risk management strategy and risk assessment policy, which are disseminated and maintained by the Chief Information Security Officer (CISO), revisited annually and, which govern the enterprise cybersecurity risk and maturity assessment process. The program is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and leverages a risk-based approach to optimize its security investment and advance its security program’s maturity and security posture over time.
The Utilities cybersecurity program adopts security measures designed to protect the confidentiality, integrity, and availability of information technology systems, network infrastructure and other assets. The Utilities’ security measures, such as awareness and training, monitoring, etc. are designed to prevent, detect, and minimize the effects of a cybersecurity incident. These measures are periodically evaluated and audited against the NIST CSF by internal audit and independent third-party cybersecurity specialists.
The CISO actively monitors developments in the area of cybersecurity and is involved in various related government and industry groups and briefs the Company’s Board quarterly or as needed on relevant cybersecurity issues. The Utilities continue to make investments in their cybersecurity program, including personnel, technologies, cyber insurance and training of Utilities personnel.
The Utilities have disaster recovery and incident response plans in place to protect their businesses from information technology service interruptions. The disaster recovery plans are established to help prevent the loss of customer data, service interruptions and disruptions to operations or damage to important facilities. In addition, the Utilities also maintain cyber liability insurance that covers certain damages caused by cyber incidents.
Despite the Utilities security measures, all of their systems are vulnerable to disability, failures or unauthorized access caused by natural disasters, cybersecurity incidents, security breaches, user error, unintentional defects created by system changes, military or terrorist actions, power or communication failures or similar events.
To date, the Utilities are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Utilities, including their business strategy, results of operations or financial condition. For further information, see “The Company is subject to
34
information technology and operational system failures, network disruptions, cyber attacks and breaches in data security that could materially and adversely affect its businesses and reputation” in Item 1A. Risk Factors.
Governance. Cybersecurity governance is a critically important part of managing security and risk, and helps ensure that the Utilities’ cybersecurity program aligns with its business objectives, complies with government and industry regulations, and achieves the goals that leadership has set out for managing security and risk.
The Company’s Board of Directors oversees risks from cybersecurity threats. Oversight includes quarterly or as needed reporting from the CISO on the overall cybersecurity risk reduction program maturity, emerging and current cybersecurity risks, and the cybersecurity threat landscape.
The CISO has over 30 years of experience in assessing and managing cyber risks, is responsible for day-to-day management of cybersecurity risks and regularly reports to the Board of Directors through the CWG.
Bank
Digital information, information technology and automation are essential components of the ASB’s operations and growth strategy. ASB relies on evolving and increasingly complex operational and information systems, networks and other technologies, which are interconnected with the systems and network infrastructure owned by third parties to support a variety of business processes and activities. Such activities include delivery of banking services to retail and commercial customers, customer relationship management and processing financial information and results of operations for internal and external reporting purposes. We primarily use third-party systems and infrastructure to create, collect, store, and process sensitive information, including personal information of customers, employees and their dependents.
ASB’s Management Committee establishes the Bank’s strategy and makes risk-informed decisions, which includes assessing and responding to cybersecurity risk. The Bank’s Risk Committee of the Board of Directors oversee risks from cybersecurity threats. Oversight includes quarterly or as needed reporting on cybersecurity risk management activities, program maturity, current and emerging cybersecurity risks, and the cybersecurity threat landscape. ASB maintains a cybersecurity program that is integrated into the overall risk management program and is overseen by the Director, Information Security and governed by an Information Security policy, standards and procedures. The cybersecurity program employs a risk-based approach for managing risks through a combination of automated tools, manual processes, and third-party assessments to identify, assess, mitigate and monitor potential cybersecurity risks. In addition to policies, standards and procedures, ASB’s cybersecurity program also includes periodic risk and maturity assessments, awareness and training, monitoring, and an incident response plan.
Periodic risk assessments are conducted that are aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and ASB leverages the results of such assessments to help optimize security investments and advance the cybersecurity program’s maturity and security posture over time. The Bank’s Risk Committee of the Board annually reviews and approves ASB’s Information Security Policy and Gramm-Leach-Bliley Act programs and receives quarterly, or as needed, reporting on any key cybersecurity developments.
The Bank actively monitors cybersecurity developments and is involved in various industry groups and cybersecurity professional organizations. While the Bank continues to make investments in the cybersecurity program, including personnel, technologies and training of Bank personnel, there can be no assurance that these systems or their expected functionality will be implemented, maintained, or expanded effectively; nor can security measures completely eliminate the possibility of a cybersecurity breach.
While in depth processes and technological solutions are in place to help minimize the potential for a successful cyberattack, ASB maintains a cybersecurity incident response plan to help ensure a timely, consistent and compliant response to actual or attempted cybersecurity incidents. The Response Plan includes (1) detection, (2) analysis, which may include timely notice to the Board if deemed material or appropriate, (3) containment, (4) eradication, (5) recovery and (6) post-incident review.
ASB maintains a formal information security training program for all teammates that includes training on matters such as phishing and email security best practices. Teammates are also required to complete compulsory training on data privacy and the Code of Conduct.
The Bank engages with third parties to assess and test its cybersecurity posture including having independent third parties perform internal and external penetration testing as well as social engineering and phishing testing of teammates. Results of third-party testing are reported to the Management Committee and Risk Committee of the Board.
35
ASB relies on its information technology systems and networks in connection with many of its business activities. Some of these networks and systems are managed by third-party service providers and are not under the Bank’s direct control. The Bank has implemented processes to manage the cybersecurity risks associated with its use of third-party service providers.
To date, ASB is not aware of any risks from cybersecurity threats, including or as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Bank, including their business strategy, results of operations or financial condition. For further information, see “Cybersecurity Events or other disruptions of our information technology systems could adversely affect our business” in Item 1A, Risk Factors of this Annual Report.
Other segment
HEI does not have an information technology (IT) or cybersecurity risk management (CRM) department, including the resources or expertise, to manage IT/CRM-related matters and processes. HEI relies on Hawaiian Electric to provide most of its IT/CRM-related services pursuant to a Service Level Agreement (SLA), amended, as of November 1, 2023 between HEI and Hawaiian Electric. HEI also employs third party cybersecurity consultants to assist in managing CRM-related matters. The SLA outlines specific services that Hawaiian Electric provides to HEI which includes support on all IT/CRM-related matters, IT service desk support, electronic file storage and backup, hardware and software installation, inventory and maintenance, standard networking and telecommunication support, and other various IT/CRM matters, including periodic reporting to HEI’s board of directors and CWG. Refer to Hawaiian Electric’s cybersecurity discussion for more information.
The SLA services provide by Hawaiian Electric are mainly for applications and systems on Hawaiian Electric’s infrastructure, networks and servers. The SLA does not cover support for certain software applications that were procured outside of Hawaiian Electric’s procurement and IT policies and procedures. These include the HEI’s general ledger application itself, excluding the infrastructure that the general ledger application is installed on, and certain cloud-based software. Although these applications are not supported by Hawaiian Electric, security measures and internal control procedures related to user access and periodic security reviews have been implemented on these applications and are performed on an on-going basis in accordance with Hawaiian Electric’s IT policies and procedures. These controls are required to protect HEI’s financial and other sensitive information, as well as to prevent cybersecurity breaches on Hawaiian Electric’s infrastructure, networks and servers. In the event of a cybersecurity breach on these unsupported applications, HEI employs third party cybersecurity consultants to assess and resolve issues resulting from a breach, depending on its severity. Hawaiian Electric may also provide guidance and support to assist HEI in assessing and resolving cybersecurity breaches. HEI has also formulated disaster recovery plans, which are updated on an annual basis, involving all of its applications, including those applications not supported by Hawaiian Electric.
HEI’s cybersecurity governance is primarily integrated within Hawaiian Electric’s cybersecurity governance plan and processes. HEI’s board of directors and CWG are tasked with overseeing risks from cybersecurity threats through routine quarterly, or as needed, updates and periodic deep-dive sessions. These updates provide updates on cybersecurity incidents, as well as overall cybersecurity risk reduction program maturity, emerging and current cybersecurity risks, and the cybersecurity threat landscape.
The HEI CFO oversees all IT and cybersecurity matters at HEI, including having oversight responsibility for the services delivered under the SLA. Since the HEI CFO does not have the expertise in cybersecurity, the HEI CFO works with the Hawaiian Electric CISO and, if necessary, with third-party cybersecurity consultants on assessing, identifying, and managing material cybersecurity matters impacting HEI. There were no cybersecurity incidents that have materially affected or are reasonably likely to materially affect HEI, including its business strategy, results of operations or financial condition.