Southwest Gas Holdings, Inc. - (SWX)
10-K Filing Date: February 28, 2024
Item 1C.CYBERSECURITY
Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks; intellectual property and proprietary business information theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; physical damage to utility and transmission infrastructure; and reputational harm. We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage these risks. As part of our enterprise risk management program, we consider cybersecurity risks alongside other risks in our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying material cybersecurity threats, assessing their severity, and deploying potential mitigations. We have implemented cybersecurity programs at both Southwest and Centuri that are tailored to the distinct businesses of our two segments.
Southwest’s cybersecurity program focuses on people, processes, and technology, and takes a defense-in-depth approach by seeking to align with industry best practices. We invest in annual cybersecurity awareness training and testing for employees. We teach employees about remaining vigilant in daily work activities and practicing good security awareness. Specialized cybersecurity training is provided to those in specific job functions particularly susceptible to cyber incidents and phishing simulations are conducted monthly. Annually, a cybersecurity fair is held, and every employee is encouraged to participate. During this fair, outside experts present current and relevant information in an engaging and educational atmosphere. Tabletop exercises are periodically conducted to evaluate controls, processes, and procedures within Southwest and with our partners in the handling of a cybersecurity incident. Southwest maintains partnerships with law enforcement and other participants within the natural gas and electric utility industries. We also participate in the Information Sharing and Analysis Center to share threat intelligence and collaborate on cybersecurity issues affecting our industry.
As a natural gas local distribution company, Southwest’s objective is to comply with the U.S. Department of Homeland Security Transportation Security Administration (“TSA”) security directives for our gas monitoring and control systems. Pursuant to these directives, Southwest engages outside consultants to regularly review our technical architecture and alignment with the TSA security directives. In addition to complying with these regulations, Southwest takes a quantitative approach to
22 |
cybersecurity risk to identify areas for future cybersecurity investment and periodically engages experts to attempt to infiltrate our information systems to further strengthen our security posture. We invest in a range of cybersecurity technologies within the perimeter, network, and endpoints, creating a defense-in-depth architecture designed for prevention and response to cybersecurity events and to help minimize exposure to risks.
To provide for the availability of critical data and systems, maintain regulatory compliance, manage our risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents, Southwest undertakes the following activities:
•deploys a defense-in-depth approach with security measures in place at multiple layers;
•closely monitors information systems using a suite of technologies and a specialized cybersecurity team;
•reviews emerging data protection laws and implements changes to our processes designed for compliance;
•trains each new employee who handles individual customer data on handling and use requirements for such data;
•avoids, where possible, storing sensitive customer information like social security numbers or banking information for individual customers on our information systems;
•conducts regular phishing email simulations for employees and contractors with access to corporate email systems to enhance awareness and responsiveness to possible threats;
•through policy, practice, and contracts (as applicable) encourages employees, as well as third parties who provide services on our behalf, to treat customer information and data with care;
•runs tabletop exercises to simulate response activities to a cybersecurity incident and use the findings to improve our processes and technologies;
•leverages the National Institute of Standards and Technology (“NIST”) Computer Security Incident Handling Process as a framework to help identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; and
•conducts vulnerability and penetration assessments, with associated remediation activities.
Southwest’s incident response plan is designed to coordinate the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents. These activities include processes to triage, assess severity, communicate, contain, investigate, and remediate the incident, as well as comply with any applicable legal obligations and mitigate reputational damage.
Southwest’s processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to customer and employee data or our systems. Third-party risks are included within our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data, or facilities that house such systems or data, and monitor cybersecurity threat risks identified through our diligence review. Our due diligence process involves the use of questionnaires that are completed by third-party service providers and reviewed by business unit representatives and cybersecurity specialists to identify risks associated with third-party service providers. We use the responses provided in the questionnaires to assist in finding ways to mitigate risks presented by a particular third-party service provider consistent with the services provided. Additionally, contracts with third parties that could introduce significant cybersecurity risk to Southwest include terms to assist in the mitigation of cybersecurity risks, including but not limited to, requiring counterparties to report data privacy or cybersecurity incidents to us and to agree to be subject to periodic cybersecurity audits as appropriate.
Centuri conducts quarterly cybersecurity reviews with its Executive Leadership Team. The review outlines the state of cybersecurity practices at Centuri through the lens of the NIST Cybersecurity Framework (“NIST CSF”). Details relative to the progress of specific goals and objectives are communicated to ensure alignment with leadership expectations. Centuri has developed policies and implemented procedures to meet the security control objectives provided within the NIST CSF, as well as applicable Centuri policies. Centuri’s cybersecurity team performs a variety of internal operational risk assessment activities to track and mitigate risks to the organization. These operational practices cross a variety of management activities and a list of these activities is maintained in a Cybersecurity Risk Register for tracking the status of risk mitigation activities, as well as the overall maturity of the organization relative to the NIST CSF. Centuri further engages third parties to perform both targeted and holistic evaluations of Centuri cybersecurity practices on a regular basis.
Centuri’s cybersecurity team performs independent reviews of new vendors whose services may be potentially integrated within the Centuri enterprise. As part of a standardized review process, Centuri’s cybersecurity team maintains a Control Assurance Toolkit to review vendor activities, practices, and controls for alignment with Centuri’s policies and procedures. Resulting control recommendations are coordinated to ensure appropriate implementation during integration activities.
Centuri undertakes vulnerability, attack, and penetration testing via a third-party audit. As part of its general control practices, Centuri performs a review of service organizational controls reports for in-scope vendors to ensure adherence to generally
23 |
accepted cybersecurity practices. Any reported weaknesses and associated responses are captured and evaluated for impact, and subsequently provided to Centuri leadership for review and response.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Operational Risks” as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. However, because Southwest operates in the area of critical infrastructure, as defined under federal law and by the TSA, we have been and will continue to be the target of cybersecurity attacks from time to time.
Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. The responsibility for oversight of risks from cybersecurity threats rests with our entire Board, but the Audit Committee oversees certain cybersecurity related items as described below. At least twice per year the entire Board receives an overview from management on our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, and cybersecurity threat risks or incidents and developments, as well as the steps management took to respond to such risks. Additionally, our Chief Information Officer attends Audit Committee meetings to present cybersecurity information for consideration in financial reporting, as necessary, and attends private Executive Sessions with the Audit Committee. Our Director of Internal Audit reports to the Audit Committee regarding attack and penetration exercise results and remediation. Members of the Board are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news or events and discuss any significant updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of matters such as enterprise risk management, operational budgeting, mergers and acquisitions, and other relevant matters. The Board has also recently participated in a tabletop exercise associated with cyber threats.
At the management level for Southwest, our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by Southwest’s President and the Vice President/Information Services/Chief Information Officer, along with the Director of Information Security, Manager of Cybersecurity Services, and Manager of Information Security Compliance and Administration. A Cybersecurity Executive Committee, consisting of officer-level management appointees representing key areas of our business, exists to maintain situational awareness of cybersecurity risks, support methods of addressing cybersecurity risks, and support the Chief Information Officer’s efforts to help Southwest follow natural gas sector-specific regulations and reporting. The Cybersecurity Executive Committee meets regularly with legal advisors and cybersecurity professionals. In our Information Services Department, the cybersecurity management team members hold degrees in information technology or cybersecurity and industry-recognized certifications in cybersecurity, and each has many years of relevant work experience in various roles involving managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs. Cybersecurity team members are expected to keep their knowledge, skills, and training current by participating in industry events and continuing education programs as applicable.
These members of management and the Cybersecurity Executive Committee are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. Our cybersecurity playbooks and incident response plan outline our procedures, communication protocols, and information escalation processes applicable throughout the lifecycle of a cybersecurity incident. The playbooks and plans cover information flow from discovery of a possible issue through the reporting of it to Information Services management and to the Cybersecurity Executive Committee and Board as necessary. In the event of a cybersecurity event at Centuri, Centuri’s leadership team informs Southwest’s cybersecurity team, and the Company’s Audit Committee or entire Board is briefed, as appropriate. As discussed above, members of management (our President, Chief Information Officer, and Director of Information Security) report to the entire Board about cybersecurity threat risks, among other cybersecurity related matters, at least twice per year, with the Audit Committee receiving more frequent updates as needed to assist in including cybersecurity items in financial reporting and monitoring attack and penetration testing results.