ONE Gas, Inc. - (OGS)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
We commit significant resources to protecting and continuing to improve the security of our computer systems, software, networks, and other information or operations technology assets. Our cybersecurity efforts are designed to preserve the confidentiality, integrity, and continued availability of all information owned by, or in the care of, the Company and protect against, among other things, cybersecurity attacks by unauthorized parties attempting to obtain access to confidential information, destroy data, disrupt or degrade service, sabotage systems, or otherwise cause damage.
Governance
Our Board of Directors considers cybersecurity risk one of the significant risks to our business. As such, the Board of Directors has retained responsibility for overseeing policies and procedures related to cybersecurity and data privacy matters. The Board of Directors routinely evaluates our cybersecurity strategy to review its effectiveness. Management provides reports to the Board of Directors at least quarterly regarding cybersecurity and other information and operations technology risks.
The Company established a governance committee to provide governance and oversight of security and compliance related activities for security and IT in support of their effective and efficient management of risks, strategies, and operational imperatives for the Company. The committee is chaired by our Chief Information Officer and the membership includes a cross-functional team of executives from IT/cybersecurity, operations, customer service, commercial, risk and insurance, finance, and the legal department. The committee is structured to cultivate collaboration across the enterprise and to align and prioritize resources with our strategic plan.
Risk Management and Strategy
The cybersecurity function is centralized under the Senior Vice President and Chief Information Officer, who has over three decades of experience in information technology. The cybersecurity function is comprised of a dedicated team of professionals who work continuously to monitor risks relating to cybersecurity resilience strategy, policy, standards, architecture, and
17
processes. We identify and address cybersecurity risks by employing a defense-in-depth methodology, consisting of both proactive and reactive elements. This requires a comprehensive program involving advanced monitoring and defense technology along with recurring situational drills that exercise incident response and crisis management plans. We leverage dedicated internal resources, along with strategic external partnerships, to mitigate cybersecurity threats to the Company. In the event a cybersecurity incident occurs, we maintain cybersecurity insurance to provide appropriate resources for both financial and cyber expertise. We have partnerships for penetration testing, incident response, and various third-party assessments. We deploy both commercially available solutions and proprietary systems to actively manage threats to our technology environment.
Oversight
Our cybersecurity oversight includes our internal control environment, cybersecurity standards, benchmarks, and internal governance committees. Annually, we assess, either internally or by an independent third-party, against multiple cybersecurity maturity models. We also leverage other industry standards and benchmarks, such as National Institute of Standards and Technology (NIST) standards, and Cybersecurity and Infrastructure Security Agency (CISA) best practices to inform our oversight strategy. The governance committee functions to ensure adherence and accountability to these standards and deploy appropriate resources to keep pace with the shifting cybersecurity threat landscape.
We have policies and procedures to oversee and manage the cybersecurity risks associated with both internal or external threats including the regular review of security reports, relevant cyber attestations, and other independent cyber ratings. These practices include technical controls and processes, as well as contractual mechanisms to mitigate risk. Additionally, we utilize cyber ratings, prepared by reputable external agencies which provide an independent ranking of our cybersecurity maturity and coverage, to assess our cyber proficiency on a standalone basis and comparatively against peers and other companies reviewed annually by the Board of Directors. We have also implemented certain third-party risk management processes to vet, select, and monitor suppliers.
Furthermore, we have established an organizational unit within the legal and compliance department that provides independent compliance testing and review for our regulatory obligations, industry standards, and policies and procedures. It supports the IT and cybersecurity department by conducting formal assessments of compliance measures, consulting on control development and enhancement, and facilitating third-party assessments.
Response
In addition to the safeguards in place to minimize the likelihood and impact of a cyber incident, the Company has established response procedures to address in the event they may occur. These response procedures are designed to identify, analyze, contain, and remediate such cyber incidents in a timely, consistent, and compliant manner. Annually, the Company completes incident response, disaster response, and crisis management plan exercises to validate our current readiness. These exercises are intended to test our cybersecurity response plans and resources through simulated cybersecurity incidents, and may include engagement of outside cybersecurity legal counsel, other third-party partners, executive management, and our Board of Directors.
Education
The Company seeks to ensure every employee understands their role in keeping ONE Gas safe from cyber incidents. As part of this commitment, we require our employees to complete recurring cybersecurity awareness training that provides immediate feedback and, if necessary, additional training or remedial action to employees.
Experience
We have experienced no material cybersecurity breaches. As such, we have not spent any material amount of capital on addressing impacts during this time, nor have we incurred any material breach expenses from penalties and settlements. We maintain cybersecurity insurance coverage that we believe is appropriate for the size and complexity of our business.
18