CONNECTICUT LIGHT & POWER CO - (CNTHP)
10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity
The Company’s policies, practices and technologies allow it to protect its information systems and operational assets from threats. The Board of Trustees and its Finance and Audit Committees continue to provide substantial and focused attention to cyber and system security. The Finance Committee of the Board of Trustees is responsible for oversight of the Company’s enterprise-wide risks, including risks associated with cyber and physical security, and the Company’s programs and practices to monitor and mitigate these risks.
Management prepares comprehensive cyber security reports that are discussed at each meeting of the Finance Committee. The reports focus on the changing threat landscape and the risks to the Company, describe Eversource’s cyber security drills and exercises, attempted and actual breaches on our systems, cyber incidents within the utility industry and around the world, and mitigation strategies. In addition, third-party experts of cyber security risks provide periodic assessments to the utility industry and the Company in particular to the Finance Committee. The Company regularly reviews and updates its cyber and system security programs, and the Finance Committee continues to enhance its robust oversight activities, including meetings with financial, information technology, legal and accounting management, other members of the Board, representatives of the Company’s independent registered public accounting firm, and outside advisors and experts in cyber security risks, at which cyber and system security programs and issues that might affect the Company’s financial statements and operational systems are discussed.
The Company has a robust Enterprise Risk Management Program which has identified cyber security as a top enterprise risk. The managing and monitoring of risks are the responsibility of the Company’s Risk Committee, which meets quarterly and is chaired by the Chief Financial Officer.
The Company is committed to continuous monitoring and assessment of cyber security controls. The Chief Information Security Officer is responsible for developing, implementing, and enforcing our cyber security program and information security policies to protect the Company’s information systems and operational assets. The Chief Information Security Officer position requires at least 15 years of relevant information security experience and relevant security certifications. The Chief Information Security Officer reports directly to the Chief Information Officer and provides regular updates to the executive management team. Our Chief Information Security Officer has over 20 years of relevant experience.
The Company created a Cyber Governance Committee, which includes the Chief Information Security Officer, Chief Information Technology Officer, Chief Accounting Officer, members of the executive management team, and other assurance functions such as Corporate Compliance, Enterprise Risk Management, and Internal Audit.
To assess, identify and manage material risks from cybersecurity threats and to prevent, detect, mitigate and remediate a cyber security or ransomware incident, the following key processes and programs have been implemented and are performed by the Company’s Cyber Security Group, which is overseen by the Chief Information Security Officer:
•Implementation of security solutions and standards based on industry best practices to prevent unauthorized access. The Company’s cyber program has been modeled after the National Institute of Standards and Technology framework; a widely accepted framework utilized by critical infrastructure industries.
•Periodic external assessments, including outside system access testing, are performed. Rigorous auditing of all safeguards is performed on a regular basis. Risk assessments are held to identify and address new and changing risks to protect systems and sensitive data. Identified areas are monitored and improvements are implemented.
•Eversource participates in information sharing programs both within and outside the utility industry, including with the U.S. government and industry organizations, to be able to identify and respond to emerging threats.
•The Company maintains current incident response and business continuity plans, which are periodically updated and tested.
•Network activity is monitored on an ongoing basis.
•Anti-phishing and malware tools are utilized and assessed.
•Employees are trained to recognize phishing attempts and are periodically tested. Results of phishing testing are benchmarked against other companies both within and outside the utility industry.
22
Specific to third parties, Eversource has implemented formal screening processes for any applicable vendors by the Company’s Cyber Security Group as part of the Procurement process. The vendors are risk ranked based on the type of work being performed. Periodic rescreening is performed on critical vendors. Vendors are required to attest to their business continuity programs and provide evidence of appropriate insurance and indemnification agreements. The Company bars sourcing from countries included on the Department of Homeland Security’s list of Prohibited Nations to further protect the Company’s supply chain. The Company maintains cyber insurance which covers breaches of networks and operational technology. Our existing insurance limits may be inadequate to cover a material cyber incident. This could expose us to potentially significant claims and damages.
As of December 31, 2023, there were no risks from cybersecurity threats, including due to any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, its business strategy, results of operations, or financial condition.