NISOURCE INC. - (NI)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
NiSource has implemented and maintains a comprehensive cybersecurity program that includes a variety of security controls and measures designed to identify, assess, and manage material cybersecurity risks. The program is a part of NiSource’s enterprise risk management strategy. The enterprise risk team and the Risk Management Committee review material risks to any NiSource operating company based on perspectives from external experts, peer surveys, and the potential impact to NiSource’s enterprise assets and strategic objectives.
Risk events are classified based on both the timing of impact and NiSource’s ability to preventatively mitigate the risk. For the cybersecurity risks that can be preventively mitigated, the enterprise risk team gathers quarterly updates on mitigation gap closure from risk owners. The Risk Management Committee reviews any mitigation gaps identified by risk owners and approves or rejects the pace of mitigation activities as a statement of risk tolerance and then directs that mitigation activities be included in budgets and the business plan as appropriate.
The NiSource cybersecurity program includes the following key components:
Risk assessment NiSource regularly assesses its cybersecurity risks to identify and prioritize the most significant threats. The risk assessment process considers a variety of factors, including those specific to the utility/energy industry, the types of data NiSource collects and stores, and the threats posed by known vulnerabilities. NiSource engages third parties to perform independent assessments of its cybersecurity program, provide intelligence about the threat environment, and to provide operational assistance in managing the program. Annually, a third-party independent assessment is performed to evaluate NiSource cybersecurity maturity against a framework of cybersecurity controls. NiSource also performs bi-annual penetration testing and social engineering assessments performed by a third-party.
Third-party risk management: NiSource performs cyber assessments periodically on third-party vendors and service providers with whom NiSource shares data, relies on for critical business functions, or provides access to the NiSource network or systems. NiSource’s Supply Chain function works with legal counsel and the Cyber function to periodically update cybersecurity contractual provisions in its vendor agreements, with deviations from such provisions requiring approval from the Legal Department and Cyber function. NiSource’s Supplier Code of Business Conduct requires, among other things, that suppliers ensure safe and secure use of information assets, comply with applicable law relating to personal information, and adhering to standards relative to the use and protection of Company information, including that of our employees, customers, vendors and other stakeholders. In addition, all vendors and contractors that have access and/or connectivity to the NiSource environment must complete cybersecurity training annually.
Security controls: NiSource has implemented a variety of security controls to mitigate cybersecurity risks. These controls include technical controls, such as firewalls and intrusion detection systems, as well as administrative controls, such as employee training and security awareness programs. To ensure cybersecurity controls, NiSource Operational Technology (OT) within the electric business adheres to the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP). Within the natural gas business, cybersecurity controls are managed and monitored based on the Transportation Security Administration (TSA) Security Directives.
Incident response: NiSource has a comprehensive incident response plan in place to respond to cybersecurity incidents. The plan includes steps for detection, analysis, containment, eradication, and recovery from incidents, as well as steps for notifying affected individuals and regulators.
The NiSource Board of Directors' Audit Committee has responsibility for oversight of the cybersecurity program and risks from cybersecurity threats. The Audit Committee meets quarterly to review NiSource’s cybersecurity posture and make recommendations for improvement. The Chief Information Security Officer (CISO) regularly briefs the Audit Committee on cybersecurity risks and the efforts to address them. In addition, the Board of Directors is briefed regularly, through written reports and updates by the Audit Committee, about key and emerging cybersecurity risks.
At the management level, the CISO leads the cybersecurity program and is responsible for assessing and managing cybersecurity risks. Our CISO has expertise and experience in cybersecurity derived from over 15 years of cyber related work experience and possess several certifications including Certified Information Systems Security Professional (CISSP), Certified
32