AVISTA CORP - (AVA)

10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY

The energy sector, including electric and natural gas utility companies, has become the subject of cyberattacks with increased frequency. Our administrative and operating networks are targeted by hackers on a regular basis. Any failure, unexpected, or unauthorized use of technology systems could result in the unavailability of such systems, and could result in a loss of operating revenues, damage to our brand and reputation, and/or an increase in operating expenses and costs to repair or replace damaged assets. See “Risk Factors – Cyber Risk Factors” for further information.

We consider the management of cybersecurity risk in our overall enterprise risk management program. See “Item 7. Management’s Discussion and Analysis - Enterprise Risk Management” for further discussion of the program.

We mitigate cyber risk through trainings and exercises at all levels of the Company. Annual cyber and physical training and testing of employees are included in our enterprise security program. Our enterprise business continuity program facilitates business impact analysis of core functions for development of emergency operating plans and coordinates annual testing and training exercises. In addition, there are independent third party audits of our critical infrastructure security program and our business risk security controls.

The technology department, led by the Vice President, Chief Information Officer, and Chief Security Officer, is responsible for our cybersecurity program. The Vice President, Chief Information Officer and Chief Security Officer has over 20 years of experience, including serving in similar roles leading and overseeing cybersecurity programs at other companies. This program includes maintenance of appropriate cybersecurity measures, such as firewalls, anti-virus, patching, and other zero-trust security protocols, monitoring for intrusion and security events that may include a data breach or an attack on our operations, and working with our supply chain department to ensure contracts with third party service providers include appropriate requirements for the mitigation of cybersecurity risk that might impact our business.

Our data breach response team is comprised of designated members of the technology department, senior management and other appropriate individuals. The team is tasked with assessing, managing and responding to material cybersecurity incidents involving either our systems or the systems of third party service providers. The data breach response team includes subject matter experts within the Company, as well as outside experts who specialize in cybersecurity response. A subset of this team is also responsible for assessing the materiality of cybersecurity incidents, reporting to the Audit Committee of the Board of Directors as appropriate, and ensuring timeline reporting of cybersecurity incidents deemed material to the Company.

The Environmental, Technology and Operations Committee of the Board of Directors oversees our management of cybersecurity risks. This Committee is briefed on security policy, programs and incidents on at least a quarterly basis. The Audit Committee of the Board of Directors provides oversight of required disclosures relating to cybersecurity.

35


AVISTA CORPORATION