Avangrid, Inc. - (AGR)
10-K Filing Date: February 22, 2024
Item 1C. Infrastructure Protection and Cyber Security Measures
Avangrid possesses a multi-layered security management approach, consisting of controls, measures, and designs aimed at reducing the risks of unauthorized access or unsanctioned use of our facilities, assets and cyber-infrastructure, such as our transmission and distribution system. These measures are key to assessing, identifying, and managing material cybersecurity related risks and have been integrated across our respective business units, and throughout the Company’s overall risk management framework.
Avangrid possesses a multi-layered security management approach, consisting of controls, measures, and designs aimed at reducing the risks of unauthorized access or unsanctioned use of our facilities, critical assets and infrastructure, such as our transmission and distribution system. These measures have been put in place to help assess, identify, and manage material
37
cybersecurity related risks and have been integrated across our respective business units and throughout the Company’s overall risk management framework.
To manage our cybersecurity and operational risks, pursuant to the cybersecurity risk policy and corporate security policy approved by the board, we have implemented, and continuously refine, cyber and physical security measures that aim to strengthen our technical capabilities to protect our critical assets. In addition, the Company possesses a security governance structure focused on sharing critical and relevant information and optimizing business-wide practices that work to identify, assess and manage wide-ranging risks to the Company including those that are cyber-related.
The board’s audit committee oversees physical and cyber security matters, incident response management, and risks related to physical security, information security, cybersecurity, and technology, as well as the steps taken by management to mitigate such risks. The chief security officer regularly reports to the audit committee on such matters. As part of the Company’s efforts to implement measures to protect against such risks, the Company continuously monitors and, where applicable, adjusts internal policies, rules, and procedures. The Company evaluates its security framework by assessing its controls, with internal as well as external assessors, and works to continuously improve its cybersecurity systems, tools, and measures. This includes contracting with independent assessors that conduct penetration testing.
Fostering Company-wide cyber-related resiliency is also core to the Company’s security management. Avangrid annually tests its incident response plan and implements a training and awareness program that educates employees. In respect to third party services, we have processes embedded into our procurement process that evaluate contracts for risks and require vendors to adhere to our data security rider and other security measures. Our corporate security department also maintains relationships with federal and state agencies to exchange threat information as appropriate.
Upon the recommendation of the board’s audit committee, the board has appointed a senior officer responsible for security, the chief security officer, or CSO, who is a corporate and U.S. national security veteran. The CSO oversees a dedicated corporate security department responsible for managing security risks across the company. Our CSO has over 25 years of experience working in cybersecurity and gained subject matter expertise in cybersecurity, intelligence, privacy, and risk reduction while working at, among other employers, the U.S. Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, or CISA, and the North American Electric Reliability Corporation. The Company’s corporate security department is responsible for the physical and cyber security program, which is supported by a governance program that manages and assists the Company in seeking to protect our cyber, physical and information assets. Together, these members of management are informed about and monitor the threats through their implementation of the controls, measures, and designs described above.
As further described in in our risk factor “Security breaches, acts of war or terrorism, grid disturbances or unauthorized access could negatively impact our business, financial condition and reputation” under Item 1A - Risk Factors of this Annual Report on Form 10-K, a physical or cyber breach could result in, among other things, in theft, damage, interruption of service and the release of critical operating information or confidential customer information. While we have experienced insignificant security breaches in the past, to date, we are not aware that we have experienced a material cybersecurity or physical breach, the Company aims to takes proactive steps to manage evolving threats including, without limitation, the threat of a material cybersecurity incident. We continue to invest in technology, processes, security measures and services in our ongoing efforts to predict, detect, mitigate and protect our assets, both physical and cyber. These investments include assessments and implementation of appropriate upgrades to our cyber-infrastructure assets, network architecture and physical security measures.