AMERICAN STATES WATER CO - (AWR)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Cyberattacks represent a threat to water, wastewater and electric utility systems. There have also been increasing threats to the information that companies maintain that have resulted in unauthorized disclosure of private customer, employee, director and corporate financial information.
Threats can come from many sources, including, but not limited to, ransomware, malicious software, credential loss or theft, supervisory control and data acquisition (“SCADA”) system takeover, equipment theft, supply chain attacks, phishing attacks, identity-based attacks, denial-of-service attacks or the actions of employees either intentional or accidental. Ransomware whereby hackers take control of a company’s systems and/or data has been identified as the most significant threat to Registrant’s critical infrastructure systems and is getting harder to detect and encrypted files are becoming harder to recover. Threat actors using ransomware have also increased their use of data, not only for direct ransom and data destruction, but also to release the data to the public. Registrant believes a breach of customer personally identifiable information is one of the most significant financial risks to it as the costs incurred could exceed the amount of its cybersecurity insurance coverage.
26


Nevertheless, in order to continue meeting Registrant’s technological business needs and as more vendors build solutions in the cloud, Registrant expects to further expand its use of cloud-computing environments. As such, Registrant expects risks from cyberattacks and data breaches to increase due to the growth of its technological footprint in the cloud environments.
Registrant expects to continue to increase its investment in information technology to monitor and address cyber threats and attempted cyber-attacks, and to improve its posture in addressing security vulnerabilities. In addition, Registrant has dedicated employees with cybersecurity technical expertise and also leverages outside cybersecurity firms. Registrant has adopted multi-layered safeguards and educational measures to protect its operations, assets and digital information. Registrant conducts mandatory quarterly cybersecurity training for all employees. Registrant also conducts specialized training for ASUS employees annually on protecting certain types of information relating to the work ASUS and its subsidiaries do with the U.S. government to comply with U.S. government contracting requirements. In addition, Registrant conducts periodic and unannounced phishing tests with all employees and vulnerability assessment and penetration tests.
Registrant has adopted a cybersecurity incident response policy, plan and set of specific instructions, which are annually reviewed by the IT cybersecurity team members. Registrant is also taking actions intended to strengthen its cybersecurity posture and to improve its cybersecurity incident response plans and operating procedures. Despite the actions Registrant has taken and is taking and the fact that, to its knowledge, it has yet to experience a cybersecurity incident, there can be no assurance that Registrant will not experience a cybersecurity incident.
Risk management, oversight and response
Cyber risk management is an ongoing iterative process that requires continuous identification, assessment and management of possible cyber threats and has become a vital part of Registrant’s overall risk management efforts. Registrant’s cybersecurity team assesses ongoing cybersecurity threats and vulnerabilities to prioritize and implement mitigation factors and defense to help contain and combat identified risks.
To ensure threat and vulnerability information is up-to-date, the cybersecurity team subscribes to multiple national and state-level threat and vulnerability information disclosure services, both general-purpose and industry-specific in nature. Updates from these sources include general information delivered on a daily basis and more threat-specific information delivered as required. Tools are in place within Registrant’s environment to monitor for anomalous behavior and provide alerting and, in some cases, automated responses to threats. Registrant’s cybersecurity team meets regularly with product vendors for these tools to ensure optimal configurations are in place to protect its environment.
To determine the risk to Registrant’s systems, it engages in a continuous vulnerability management lifecycle process to identify and remediate vulnerable systems and system configurations. In this regard, Registrant leverages the National Institute of Standards and Technologies cybersecurity framework. To supplement Registrant’s internal process, the cybersecurity team regularly contracts consultants to assess system configurations, both passively through exercises such as configuration review and actively through penetration testing, and response procedures, such as tabletop exercises, to identify areas for improvement. In addition, Registrant supplements its day-to-day operations with around the clock identification, assessment and mitigation of cyber risks with third-party security services as well. Registrant is working on implementing across AWR and its subsidiaries a comprehensive, risk-based approach to identify and oversee cybersecurity risks presented by third parties, including vendors, service providers and other external users of its systems and data, as well as the systems of third parties that could adversely impact Registrant’s business in the event of a cybersecurity incident affecting those third-party systems.
Cybersecurity updates are provided periodically to Registrant’s senior management, including its CEO, CFO and senior vice presidents of Registrant’s operations, and to the senior management of Registrant’s subsidiaries. Cybersecurity risk management extends beyond Registrant’s and its subsidiaries’ senior management teams. Registrant’s Board of Directors (“the Board”) oversees enterprise risk management, or ERM, performed under the direction of Registrant’s senior management team. Cybersecurity updates, including recent findings, changes to processes or personnel changes, are provided to the ERM liaison to the Board, who is a member of the Board, and to the full Board on a quarterly basis or more frequently if needed. Cybersecurity is one component of an overall ERM framework that involves Registrant’s Board. The Board satisfies its oversight responsibility by obtaining information from the ERM liaison and senior management of Registrant, with input from the senior management of Registrant’s subsidiaries as necessary. On a quarterly basis, Registrant’s senior management will discuss the implementation status of plans to mitigate cybersecurity risks with the ERM liaison. The ERM liaison and Registrant’s senior management will then provide a report to the full Board regarding the critical cybersecurity risks discussed, mitigation plans and implementation of the ERM program that addresses cybersecurity risks.
In addition, Registrant’s plans require members of its senior management, such as its CEO and CFO, as well as members of management from its, and its subsidiaries’, Operations, Information Technology, Human Capital Management, Accounting and Legal teams participate in Registrant’s Cybersecurity Incident Response Team (“CIRT”) to be kept current on all aspects related to a cyber-attack, if a cybersecurity incident were to occur.
27


Responses to cyber-attacks are fast-moving and dynamic and would require an assessment of actual or potential damage performed by Registrant’s cybersecurity team. If a cyber-attack were to occur, continuous engagement, communication and collaboration between Registrant’s cybersecurity team and members of its CIRT as well as third parties would likely be necessary in order to gather accurate and complete information, perform a comprehensive evaluation and assessment of the cyber-attack, manage and contain the cybersecurity threat, and develop and execute a remediation and recovery plan. Members of its CIRT team would work together to determine whether a cybersecurity breach is material and required to be reported to the Board and publicly under applicable law.
To ensure that members of Registrant’s Board are informed of material cyber-attacks, Registrant’s CFO and IT Director have been designated as key members of management that will provide current updates to Registrant’s ERM liaison and the Board. The communication will include but not be limited to, the nature and status of the cyber-attack and Registrant’s plan to contain and mitigate the cyber threat and ultimately the remediation and recovery plan to return to “business as usual” state. Registrant’s CFO has over 15 years overseeing the Company’s risk management area. Registrant’s IT Director has over 25 years in Information Technology designing, implementing and supporting various cybersecurity and technical solutions, along with ensuring compliance with multiple cybersecurity regulations.
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect Registrant, including its business strategy, results of operations or financial condition. However, the risk of cybersecurity threats could be significant if the cyber-attack disrupts Registrant’s critical operations, service or financial systems. See “Information Technology Risk Factors” under Item 1A. In addition, any unauthorized access to sensitive information or data breaches could be detrimental to Registrant’s operations, critical corporate information and reputation and relationships with its customers, vendors, employees, directors and could negatively affect the future of contract awards at ASUS and could result in a termination of one or more of its existing contracts or the assessment of penalties. The cost of responding to a cyber-attack could be significant depending on the severity of the cyber-attack and could go beyond financial costs as operations and services provided by Registrant could be delayed and coordinated resources in response could be significant. Registrant could also be assessed penalties if it is determined that applicable data privacy laws have been violated.
28