DOMINION ENERGY, INC - (D)
10-K Filing Date: February 23, 2024
Risk Management and Strategy
In an effort to reduce the likelihood and severity of cyber intrusions, the Companies have a comprehensive cybersecurity program designed to protect and preserve the confidentiality, integrity and availability of data and systems. Consideration of cybersecurity risks is a key component of the Companies’ overall risk management and integrated into processes such as evaluation of potential new vendors or suppliers. The Companies are subject to mandatory cybersecurity regulatory requirements, interface regularly with a wide range of external organizations and participate in classified briefings to maintain an awareness of current cybersecurity threats and vulnerabilities.
The Companies’ corporate intelligence and security program includes both cybersecurity and threat intelligence components as part of its evaluation and mitigation of risks. The evaluation of risks includes consideration of cybersecurity and privacy risk, including potential impact on the Companies’ employees, customers, supply chain and other stakeholders, intelligence briefings on notable cyber events impacting the industry and evaluation of insider threats. The Companies utilize a robust set of internal and third-party assessment tools to test its cyber risk management policies, practices and procedures as well as challenge assumptions upon which its defenses are built. These assessments provide opportunities for self-critical analysis and constructive feedback needed to build cyber resilience. Trainings are routinely provided to employees to help identify, avoid and mitigate cybersecurity threats and to ensure an understanding of the Companies’ cyber risk management policies. In addition, risk assessments are conducted as a component of the evaluation of vendors and suppliers.
The Companies’ current security posture and regulatory compliance efforts are intended to address the evolving and changing cyber threats. During the past three years, the Companies have not experienced any cybersecurity incidents resulting in a material impact to their business strategy, results of operations or financial condition. The Companies have identified the risk that a hostile cyber intrusion could severely impair the Companies’ operations, lead to disclosure of confidential information, damage the Companies’ reputation or otherwise have an adverse effect on the Companies’ business as disclosed under the Operational Risks header within Item 1A. Risk Factors.
Governance
Dominion Energy’s Board of Directors, including its finance and risk oversight committee, provides oversight of the Companies’ risks from cybersecurity threats. Dominion Energy’s Board of Directors as well as its finance and risk oversight committee receive presentations and reports throughout the year on cybersecurity and information security risk from management, including Dominion
46
Energy’s chief security officer, director of cybersecurity and chief information officer. These presentations and reports address a broad range of topics, including the Companies’ cyber risk management program, updates on recent cybersecurity threats and incidents across the industry, policies and practices, industry trends, threat environment and vulnerability assessments and specific and ongoing efforts to prevent, detect and respond to internal and external critical threats, including management’s hosting in 2023 of its second practical exercise with external federal, state and local incident response partners. In addition, Dominion Energy’s Board of Directors receives briefings from time to time from outside experts for an independent view on cybersecurity risks, including an assessment by an independent consulting firm of management’s response in a ransomware tabletop drill.
The Companies utilize an organization structure known as a converged security model that brings together cybersecurity, physical security and threat intelligence within one department led by the chief security officer. The chief security officer joined Dominion Energy in this role in 2018 and has an extensive background in security having retired from the Federal Bureau of Investigation after a more than 20-year career focused on criminal, counter-terrorism, counter-intelligence and cyber investigations. The chief security officer belongs to the Federal Bureau of Investigation’s Domestic Security Alliance Council, the Department of Homeland Security’s Classified Intelligence Forum and is a member of the national Government/Business Executive Forum. In addition to serving on multiple university advisory boards, the chief security officer also serves on the Commonwealth of Virginia’s Informational Technology Advisory Council.
The director of cybersecurity has over 30 years of experience at Dominion Energy primarily in various roles within the information technology department, including information technology risk management, as well as cybersecurity. The director of cybersecurity has been involved in designing and evolving the Companies’ cyber risk management policies, practices and procedures. This individual has deep relationships with key external partners and is recognized within the industry and the U.S. as a leading cybersecurity expert.
In addition, management of cybersecurity threats is shared with the chief information officer who is responsible for the Companies’ technology assets including hardware, software, networks, servers and telecommunications. The chief information officer has over 25 years of experience at Dominion Energy primarily in various roles within the information technology department, including information technology risk management. In addition, the chief information officer previously served on the board of the Virginia Cybersecurity Partnership, a collaboration between private industry and the Federal Bureau of Investigation.
The chief security officer and chief information officer are supported by the senior vice president of administrative services as well as the Companies’ operations, legal, audit, corporate risk, supply chain, human resources and accounting departments in executing its cybersecurity program. In addition, the chief security officer and chief information officer provide periodic updates concerning recent developments affecting cybersecurity and privacy risk to the Companies’ executive cyber risk council, which includes executive officers responsible for administrative services, corporate affairs, supply chain, corporate secretary and corporate risk along with legal counsel.
The Companies maintain a robust, tested and regularly revised Cyber Security Incident Response Plan and a Vendor Compromise Response Plan. These plans detail roles, responsibilities, and actions to be taken in response to a detected event whether internal or associated with a third-party service provider. The plans provide clear direction for escalation of information to leadership, including Dominion Energy’s Board of Directors as appropriate, and drive collaboration amongst relevant members of management representing cybersecurity, information technology, operations, supply chain, legal and accounting departments. As necessary, the COO, CFO and chief legal officer will advise the CEO on any incidents which could potentially have a material effect on the Companies’ business operations, results of operations or financial condition.
47