PINNACLE WEST CAPITAL CORP - (PNW)
10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
The Company prioritizes and maintains a high level of commitment to responsible and secure cybersecurity practices given the critical nature of its services and the potential consequences of a successful cyber-attack on the Company and the electric grid. A successful cyber-attack could have far-reaching consequences, from compromising the integrity of sensitive data to disrupting power supply. To that end, the Company implements a robust risk management, strategy, and governance regime aimed at ensuring effective controls are in place to identify, mitigate, remediate, and communicate cyber threats at appropriate levels within the organization.
APS’s cybersecurity group (the “Cybersecurity Group”) is comprised of cybersecurity analysts, engineers, architects, and others, led by the Director of Cybersecurity, who reports to APS’s Vice President, Operations Support. The Director of Cybersecurity has more than twenty years of experience in information technology and cybersecurity roles, with more than ten of those years at the Company. The Director of Cybersecurity also holds cybersecurity certifications from multiple certifying bodies and is active in utility cybersecurity professional organizations. The Cybersecurity Group has day-to-day responsibility for safeguarding the Company’s critical assets and assessing, identifying, and managing material risks from cybersecurity threats.
In fulfilling its responsibility, the Cybersecurity Group manages formal documented internal processes such as risk management and vulnerability scanning, as well as other processes, such as assessing threat intelligence, that include outside partners. Intelligence sharing comes from industry sources such as the Electricity Information Sharing and Analysis Center, government sources, as well as commercially purchased information sources. The Cybersecurity Group also engages third parties for assessments and audits of its systems periodically and as needed. Such assessments and audits may include, among other things, pre-production evaluation of technologies, overall program assessments, and compliance program assessments including audits by our regulators.
Depending on the products and services provided and the potential for data exchange and technology risk, we may require vendors and service providers to pass APS’s vendor risk management program, which sets forth security and data protection requirements, as a condition to doing or continuing to do business with us. For contracts with vendors that will handle or have access to certain sensitive data, APS requires contractual provisions setting forth cybersecurity controls, vulnerability management, secure development practices, and other security and data protection requirements. A subset of vendors that meet a predetermined risk profile due to strategic relationships, technology risk, or other factors is continually monitored by a third-party risk management service, and the Company annually reviews independent assessments of these vendors.
The Cybersecurity Group also has documented processes for identifying, responding to, and internally escalating cybersecurity incidents. Once an incident meets certain criteria, the Company’s Cybersecurity Incident Command or, in the most severe cases that impact the entire Company, the Corporate Emergency Operations Center is activated and formal response procedures are followed to address the incident. The Cybersecurity Group has a formal incident response plan that details response and escalation procedures, including activation of a Cybersecurity Disclosure Committee, consisting of the Chief Financial Officer and the General Counsel, to assess an incident’s materiality with input as needed from the Director of Cybersecurity, Chief Accounting Officer, Chief Information Officer, and others, including outside advisors.
48
Cybersecurity risk management has been integrated into the Company’s overall enterprise risk management program (the “Enterprise Risk Management Program”) through policies and processes that implement a risk management framework designed to identify, manage, and monitor business unit risks throughout the organization. The Enterprise Risk Management Program is overseen by an executive committee (the “Executive Risk Committee”), which meets at least quarterly and is comprised of members holding executive leadership positions in the Company, including the Chairman and Chief Executive Officer, President, and other Executive and Senior Vice Presidents, and is chaired and sponsored by the Chief Financial Officer. Every year, as a part of the Enterprise Risk Management Program, the top risks affecting the Company are identified. For 2023, cybersecurity was identified as a top risk. The applicable subject matter experts brief the Company’s Board of Directors on the status of all top enterprise risks at least once per year. Finally, the Nuclear and Operating Committee of the Company’s Board of Directors provides ultimate oversight of cybersecurity risk and also receives briefings at least twice per year from the Cybersecurity Group, and notable audit findings relating to cybersecurity are aggregated and provided to the Board of Directors’ Audit Committee.
To date, we do not believe there have been risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Pinnacle West or APS. However, there is no assurance that will continue to be the case. If a significant cybersecurity event or incident were to occur, our ability to fulfill our critical business functions and our business strategy, results of operations, and financial condition could all be materially impacted. See the risk factor entitled, “We are subject to cybersecurity risks and risks of unauthorized access to our systems that could adversely affect our business and financial condition” in Item 1A—Risk Factors for more information.
49