CHESAPEAKE UTILITIES CORP - (CPK)

10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. We face a multitude of increasing cybersecurity threats, including those that target the Nation’s critical infrastructure sectors. Reliable service and operational continuity are critical to our success and the welfare of those we serve, including our ability to safely and reliably deliver energy to our customers through our transmission, distribution, and generation systems. We are committed to maintaining robust governance and oversight of
Chesapeake Utilities Corporation 2023 Form 10-K Page 24

these risks and to investing in the implementation of mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks in an everchanging landscape.

To mitigate the threat to our business, we take a comprehensive, cross-functional approach to cybersecurity risk management. Our management team is actively involved in the oversight and implementation of our risk management program, of which cybersecurity represents an important component. At least annually, we conduct a cybersecurity risk assessment that evaluates information from internal stakeholders and external sources. The results of the assessment inform our alignment and prioritization of initiatives to enhance our security controls. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats which follow frameworks established by the National Institute of Standards and Technology (NIST). These include, among other things: security awareness training for employees; mechanisms to detect and monitor unusual network activity; services that identify cybersecurity threats; conducting scans of the threat environment; evaluating our industry’s risk profile; utilizing internal and external audits; conducting threat and vulnerability assessments; and containment and incident response tools. We also actively engage with industry groups for benchmarking and awareness of best practices. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made in a timely manner.

Our approach to cybersecurity risk management includes the following key elements:

Multi-Layered Defense and Continuous Monitoring: We work to protect our business from cybersecurity threats through multi-layered defenses and apply lessons learned from our defense and monitoring efforts to help prevent future attacks. We utilize data analytics to detect anomalies and review trends in the data. We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and enhanced based on vulnerability assessments, cybersecurity threat intelligence and incident response experience.

Information Sharing and Collaboration: We share and receive threat intelligence and best practices with industry peers, government agencies, information sharing and analysis centers, industry trade organizations, and cybersecurity forums. These relationships enable the rapid sharing of information around threat and vulnerability mitigation.

Third-Party Risk Assessments: We engage third-party services to conduct assessments of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These assessments include testing both the design and operational effectiveness of security controls.

Companywide Policies and Procedures: We have companywide cybersecurity policies and procedures, such as encryption standards, antivirus protection, remote access protocols, multi-factor authentication, protection of confidential information, and the use of the internet, social media, email, and wireless devices. These policies go through an internal review process and are approved by the appropriate members of management.

Training and Awareness: We provide awareness training to our employees to help identify, avoid and mitigate cybersecurity threats. Our employees routinely participate in phishing campaigns, education that reinforces compliance with our policies, standards and practices, and other awareness training. We also periodically perform simulations and other exercises with management and incorporate external resources and advisors as needed. Our team of cybersecurity professionals collaborate with stakeholders across our business units to further analyze the risk to the Company, and form detection, mitigation and remediation strategies.

Supplier Engagement: We work collectively with our suppliers to support cybersecurity resiliency in our supply chain. The Company uses a variety of processes to address third-party cybersecurity threats, including reviewing the cybersecurity practices of such provider(s), contractually imposing obligations on the provider(s), notifications in the event of any known or suspected cyber incident, conducting security assessments, and periodic reassessments during the course of the Company’s engagement with such provider(s).

As of the date of this Form 10-K, there have not been any cybersecurity incidents that have materially affected our business strategy, results of operations or financial condition. There can be no guarantee that our policies and procedures will be followed or, if followed, will be effective. For more information regarding the risks we face from cybersecurity threats, please see Item 1A, Risk Factors, which should be read in conjunction with this Item 1C.

Cybersecurity Risk Governance and Oversight

The Company’s Board, in conjunction with its Audit Committee, oversees management’s approach to cybersecurity risk and its alignment with the Company’s risk management program. The Board and Audit Committee receive reports from management about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material
Chesapeake Utilities Corporation 2023 Form 10-K Page 25

security risks and vulnerabilities. Additionally, management provides the Audit Committee with updates on cybersecurity risk assessments, risk mitigation strategies, and relevant internal and industry cybersecurity matters. The Company’s Chief Information Officer (“CIO”) is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board and Audit Committee. The Company’s CIO has 25 years of experience in the information technology industry. The CIO reports to the Chief Executive Officer and is supported by a dedicated cybersecurity team within our information systems department, as well as a multidisciplinary incident response team. Employees across the organization also have a role in our cybersecurity defenses, which we believe improves our cybersecurity posture.

In addition, the Company’s Risk Management Committee (“RMC”) evaluates risks relating to cybersecurity, among other significant risks, and applicable mitigation plans to address such risks. The RMC is comprised of members of the executive leadership team. The RMC meets monthly and receives updates from the CIO or a member of our cybersecurity team. The RMC reviews security performance metrics, global security risks, security enhancements, and updates on our security posture.