SEMPRA - (SRE)
10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
CYBERSECURITY RISK MANAGEMENT
Sempra, SDG&E and SoCalGas have developed and implemented cybersecurity risk management processes intended to protect the confidentiality, integrity, and availability of our critical infrastructure, systems and information. These cybersecurity risk management processes include cybersecurity incident response plans that are integrated into each entity’s respective enterprise risk management and emergency management programs.
Our cybersecurity processes are largely designed and assessed based on the National Institute of Standards and Technology Cybersecurity Framework and the DOE’s Cybersecurity Capability Maturity Model standards. This does not imply that we meet any technical standards, specifications, or requirements, only that we use these standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management processes include:
▪risk assessments performed by internal personnel and third-party advisors designed to help identify material cybersecurity risks to our critical systems, information, services, and our broader enterprise information technology environments
▪information security teams principally responsible for developing and implementing (1) cybersecurity risk assessment processes, (2) information security controls, and (3) response plans to cybersecurity incidents
▪the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our information security controls
▪cybersecurity awareness training and policies designed to address social engineering attacks targeting employees and contractors
▪cybersecurity incident response plans that include procedures for responding to certain cybersecurity incidents
▪risk management processes for third-party service providers, suppliers, and vendors
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our results of operations, financial condition, cash flows and/or prospects.
CYBERSECURITY GOVERNANCE
Sempra’s, SDG&E’s and SoCalGas’ respective boards of directors consider cybersecurity risk as part of their risk oversight function. The Sempra board of directors has delegated to its SST Committee, which is entirely composed of independent directors under the independence standards established by the NYSE, oversight of cybersecurity and other information and operational technology risks. The SST Committee reports to the Sempra board of directors regarding the Committee’s activities, including those related to cybersecurity. The SST Committee receives briefings on cybersecurity topics from Sempra’s chief information security officer, internal information security staff or external experts in part for continuing education on topics that impact public companies. The SST Committee as well as the SDG&E and SoCalGas boards of directors oversee management’s implementation of our cybersecurity risk management processes and receive regular reports from management on our material cybersecurity risks. In addition, management updates the SST Committee and SDG&E and SoCalGas boards of directors about certain cybersecurity incidents. The SDG&E and SoCalGas boards of directors receive briefings from SDG&E’s and SoCalGas’ chief information officer and internal information security staff. SDG&E’s and SoCalGas’ boards of directors also have formed safety committees that, at times, may oversee the matters described above on behalf of those companies’ respective boards of directors.
2023 Form 10-K | 56
We have formed cybersecurity councils to provide overall corporate oversight for managing material risks from cybersecurity threats. The cybersecurity councils meet regularly to receive updates on cybersecurity developments at Sempra and our consolidated entities from their cybersecurity management teams.
Our cybersecurity management teams supervise efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal information security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by information security tools deployed in the information technology environment. Cybersecurity management also supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Sempra’s director of cybersecurity governance & chief information security officer provides additional oversight and support for the operational cybersecurity activities at our consolidated entities.
We have also formed materiality assessment teams, which include chief information security officers, chief information officers, chief risk officers, chief accounting officers or chief financial officers, and general counsels, to help assess the materiality of certain cybersecurity incidents.
The cybersecurity councils, cybersecurity management teams and materiality assessment teams include members with decades of operational experience as cybersecurity professionals as well as management with decades of service in the areas of information and operational technology and legal, compliance, financial reporting and enterprise risk management. Some of these members hold degrees and certifications that we believe enhance our ability to manage and respond to cybersecurity risks, including, among others, bachelor’s and/or master’s degrees in cybersecurity and computer science as well as certified information systems security professional, certified incident handler, and certified information security manager certifications.