Via Renewables, Inc. - (VIA)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Risk management and strategy
Via Renewables, Inc. recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data.
Managing Material Risks & Integrated Overall Risk Management
Via Renewables, Inc. has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integrated part of our decision-making processes at every level. Our risk management team works closely with our IT department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs.
Engage Third parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, Via Renewables, Inc. engages with a range of external experts, including cybersecurity assessors, consultants and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices.
Oversee Third-party Risk
Because we are aware of the risks associated with third-party service providers, Via Renewables, Inc. implements stringent processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
Risks from Cybersecurity Threats
We have not encountered cybersecurity challenges that have materially impaired our operations or financial standing.
42
Governance
The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established a robust oversight mechanism to ensure effective governance in managing risks associated by cybersecurity threats because we recognize the significant of these threats to our operations integrity and stakeholder confidence.
Board of Directors Oversight
The Audit Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with diverse expertise including, risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.
Management’s Role Managing Risk
The Chief Operating Officer plays a pivotal role in informing the Audit Committee on cybersecurity risks. The Chief Operating Officer provides comprehensive briefings to the Audit Committee on a regulatory basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics including:
•Current cybersecurity landscape and emerging threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from any cybersecurity events; and
•Compliance with regulatory requirements and industry standards.
In addition to our scheduled meetings, the Audit Committee and Chief Operating Officer maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the Board’s oversight is proactive and responsive. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of Via Renewables, Inc. The Audit Committee conducts an annual review of the Company’s cybersecurity program and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.
Risk Management Personnel
Primary responsibility for assessing, monitoring and managing our cybersecurity risk rests with the Director of Infrastructure. With over 26 years of experience in the field of cybersecurity, the Director of Infrastructure brings a wealth of expertise to his role. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our Director of Infrastructure oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee training program.
Monitor Cybersecurity Incidents
The Director of Infrastructure is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The Director of Infrastructure implements and oversees processes for the regulatory monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the Director of Infrastructure is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
43
Reporting to the Board of Directors
The Director of Infrastructure, in his capacity, regularly informs the Chief Financial Officer (CFO) and Chief Operating Officer (COO) of all aspects related to cybersecurity risks and incidents. The CFO and COO regularly inform the Chief Executive Officer (CEO) of such risk and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing Via Renewables, Inc. Furthermore, significant cybersecurity mattes, and strategic risk management decisions are escalated to the Board of Directors, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.