Northwest Natural Holding Co - (NWN)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Processes of Addressing Cybersecurity Threats
Cybersecurity is critical to our business. As an energy infrastructure company, we face a variety of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly organized adversaries, including nation state actors, that target critical infrastructure sectors. We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. The process is supported by management and overseen by our board of directors.
One of the tools used by management and our Board of Directors in managing business risks is an annual enterprise risk management (ERM) assessment to identify and manage key existing and emerging risks our company faces. Our ERM process is designed to identify significant risks relevant to the company and assess the characteristics and circumstances of the risks to identify both the potential impacts to our company of a particular risk and the velocity with which the risk may manifest. Cybersecurity is among the risks identified in our ERM assessment and has been embedded in the Company’s operating procedures, internal controls and information systems.
In addition to our overall ERM process, we have developed and implemented a cybersecurity risk management program and processes intended to detect, assess, manage, and develop resiliency against material risks from cybersecurity threats. Our cybersecurity program utilizes a risk-based approach and includes written cybersecurity and information technology processes and procedures, including a cybersecurity incident response plan that involves procedures for responding to cybersecurity incidents. We design and assess our program informed by various cybersecurity frameworks, such as the National Institute of Standards and Technology (NIST) and leverage a widely-adopted risk assessment model to identify, measure and prioritize cybersecurity and technology risks. The goal of our program is to prevent, identify, escalate, investigate, resolve and recover from identified incidents and security incidents in a timely manner.
Our cybersecurity program also incorporates intelligence sharing capabilities about emerging threats within the utility industry and other industries through collaboration with peer companies and specialized consultants and advisors, public-private partnerships with government intelligence agencies, including the FBI, CISA, and the Department of Energy Office of Cybersecurity, Energy Security and Emergency Response, and geopolitical briefings. We also leverage third-party benchmarking, the results from regular internal and third-party audits, technology partner resources, threat intelligence feeds, and other similar resources to inform our cybersecurity processes and allocate resources.
Beginning in May 2021, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) released two directives, with several updates, applicable to certain owners and operators of pipeline facilities, including NW Natural. These directives cumulatively required owners and operators to implement cybersecurity incident reporting to the DHS, designate two cybersecurity coordinators, and perform a gap assessment of current entity cybersecurity practices against certain voluntary TSA security guidelines and report relevant results and proposed mitigation to applicable DHS agencies; implement a significant number of specified cyber security controls and processes; and clarifying Operational Technology (OT) scope and providing a risk- and outcome-based framework. We made significant additional and accelerated investments in cybersecurity in response to the TSA directives.
Our cybersecurity program has several fundamental tenants, including security governance, cybersecurity risk management, compliance, defensibility, zero-trust architecture and cloud security. We utilize multilayered defenses and continuous monitoring with data analytics to detect anomalies and search for cyber threats in our system.
32
Key components of our cybersecurity risk management program include:
•risk assessments designed to help identify cybersecurity risks to our critical systems, information, services, and our broader technology environment;
•the use of external service providers with specific expertise, where appropriate, to assess, test or otherwise assist with aspects of our security processes;
•cybersecurity awareness training of our employees, incident response personnel and senior management, as well as periodic experiential learning through “phishing simulations”;
•segmentation of, and back-ups for, certain of our sensitive systems and data;
•third-party cyber risk management process for vendors including, among other things, a security assessment, contracting program, and ongoing monitoring for vendors based on their risk profile;
•physical security around our sensitive infrastructure and cybersystems.
In accordance with our program and processes, we regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We conduct regular reviews and tests of our information security program and also utilize audits by our internal audit team and third-party consultants, table-top exercises, penetration and vulnerability testing, data recovery testing, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We are continuously working to evolve our oversight processes to mature how we identify and manage cybersecurity risks, and we perform periodic maturity assessments to measure our progress.
As a regulated energy infrastructure company, for decades we have used an incident command system (ICS) as a standardized approach to the command, control and coordination of a variety of emergency situations. In the event of emergencies, including cybersecurity events, we stand up an Incident Command Team to respond to the emergency. We exercise and train the ICT for a variety of emergencies, including, cyber events on a regular basis.
At this time, we have not identified any risks from known previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. With a majority of our business in energy and infrastructure, we face sophisticated and rapidly evolving attempts to overcome our security measures and protections. The occurrence of both intentional and unintentional incidents could occur in the future. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Item 1A, "Risk Factors” above for additional information on risks related to our business, including for example risks related to cyber attacks, information and system breaches, and technology disruptions and failures, our reliance on technology.
Cybersecurity Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated oversight of cybersecurity and other information technology risks to the Audit Committee. The Audit Committee oversees management’s implementation of the cybersecurity risk management program.
The Audit Committee receives regular reports from management on our cybersecurity risks. Additionally, management updates the Audit Committee as necessary, regarding any cybersecurity incidents. The Audit Committee reports to the full Board regarding the Audit Committee’s areas of oversight, including those related to cybersecurity. The full Board also receives briefings from management on our cybersecurity risk management program periodically. Additionally, our Board receives presentations on cybersecurity topics from our IT management team or external experts as part of the Board’s ongoing education.
Our management team, including our Cybersecurity management team, has primary responsibility for our overall cybersecurity risk management program, and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Cybersecurity management team has been led, since 2017, by our Vice President, Chief Information Officer, who also functions as our Chief Information Security Officer and reports to our CEO. Mr. Downing has an extensive career of 29 years in information technology services in the energy sector, including at WorleyParsons, British Petroleum and Schlumberger. He holds a degree in Information Systems as well as a Masters of Business Administration.
Mr. Downing is supported by Mr. Carlson, our Director of Cybersecurity and Compliance, and his team. Mr. Carlson has 24 years of experience in information technology focused on highly regulated sectors including energy, government, and insurance. He holds a bachelor’s degree in Information Technology, and master’s degrees in Information Assurance and Business Administration. The remainder of our team is comprised of cybersecurity professionals with broad experience and expertise, including in cybersecurity, threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. Collectively our team has certifications from various organizations such as American Society for Industrial Security, AXELOS, Cloud Security Alliance, Information Systems Audit and Control Association, International Information System Security Certification Consortium and SANS Institute.
Our cybersecurity and compliance team regularly collects data on cybersecurity threats and risk areas, monitors our systems, and conducts testing to assess our processes and procedures and the threat landscape. The CIO receives regular updates on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation.
33
In the event of an incident, we intend to utilize our ICT and follow our detailed incident program and processes, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying relevant functional areas, as well as senior leadership and the Board, as appropriate.