American Water Works Company, Inc. - (AWK)

10-K Filing Date: February 14, 2024
ITEM 1C. CYBERSECURITY
The Company’s Cybersecurity Program
The Company’s cybersecurity program is an integral part of the long-term sustainability and effectiveness of the Company’s operational and technology environment. To protect the integrity of its data and operational and technology systems, the Company employs a “defense-in-depth” strategy that uses multiple security measures. This strategy aligns with the National Institute of Standards and Technology Cyber Security Framework and provides preventative, detective, and responsive measures to identify and manage risks. The Company periodically reviews and modifies the implementation of its cybersecurity strategy based on threat trends, program maturity, the results of assessments, and the advice of third-party security consultants.
The Company’s cybersecurity program includes the following areas of focus:
Technology that includes, among other things, encryption, threat management, monitoring, investigation support and backups for physical devices, such as mobile phones and computers, connected to the Company network;
Identity and access management controls that include, among other things, multi-factor authentication and safeguards associated with granting elevated privileges;
Proactive cybersecurity processes, including vulnerability scanning, penetration testing and periodic program assessments by outside security consultants and assessors;
Reactive cybersecurity processes that are regularly evaluated using various incident response and disaster recovery exercises;
Employee cyber risk awareness and training, including regular simulation exercises with employees, that covers cybersecurity threats and actions to prevent and report attacks; and
Third-party risk management and security standards, including due diligence, continuous monitoring, cyber risk scoring and contractual obligations, and periodic review of third-party control environments to align the Company’s risk exposure with its business requirements and risk tolerances.
Third-Party Relationships
The Company utilizes partners and third-party service providers to help deliver safe and reliable water and wastewater services across its regulated operations and has implemented a third-party risk management program to understand the cybersecurity risks to the Company that may arise out of these third-party relationships. The Company categorizes third-party relationships by risk level, which is determined primarily by the service provided by the third-party and its level of access to the Company’s data. Each category has specific cybersecurity controls, data privacy and documentation requirements, which are outlined in the agreement between the Company and the third-party service provider. In addition, the Company evaluates the online security footprint for its service providers at the time of agreement, and on a regular basis, thereafter, depending on the provider’s risk level. The Company reviews its agreements with third-party service providers periodically related to terms and conditions governing cybersecurity controls and data privacy. The Company also monitors, as appropriate, risks relating to potential compromises of sensitive Company information through third parties and reevaluates these risks periodically. In addition, the Company obtains annual attestation reports related to data security and privacy from certain third-party providers to further support compliance with industry-standard cybersecurity protocols.
Cybersecurity Risks
The Company believes that its current preventative actions and response activities provide reasonable measures of protection against security breaches and serve generally to reduce the Company’s overall cybersecurity risk. However, cybersecurity threats are constantly evolving and have and will continue to become more frequent and sophisticated. Although the Company has implemented measures that it believes are reasonable to safeguard its operational and technology systems and has sought to establish a culture of continuous monitoring and improvement, the evolving nature of cybersecurity attacks and vulnerabilities means that these protections may not always be effective. In addition, the Company has obtained insurance to provide coverage for a portion of the losses and damages that may result from a cyber attack or a security breach, but such insurance is subject to exclusions, limitations and exceptions, and may not cover the total loss or damage caused by an attack or breach. To date, management has determined that no cybersecurity incident experienced by the Company has resulted in a material impact on its financial condition, results of operations or business strategy. For additional information concerning cybersecurity-related risks, see Item 1A—Risk Factors—We may be subject to physical and cyber attacks, and —We may sustain losses that exceed or are excluded from our insurance coverage or for which we are self-insured.


37

Cybersecurity Risk Management and Strategy
The Company has established an enterprise-wide cybersecurity program designed to prevent disruption to critical information systems, minimize the loss or manipulation of sensitive information, and to timely identify, escalate and promptly remediate and recover from cybersecurity incidents and facilitate compliance with regulatory and disclosure requirements. To oversee cybersecurity risk management, the Company employs a dedicated unit, led by the Company’s Chief Security Officer (“CSO”), to implement cybersecurity controls, assess and report on cybersecurity risks and consult with the Company’s internal Enterprise Risk Management Committee, a decision-making body which supports and oversees the identification, assessment, prioritization, and mitigation strategies for enterprise-level risks, including cybersecurity risks. The Company’s CSO has 23 years of work experience in the cybersecurity field throughout various industries, including the utility sector, and has obtained several professional certifications, including from the International Information System Security Certification Consortium. The CSO reports directly to the Company's Chief Information Officer (“CIO”), who is responsible for the Company’s information technology program. The CIO has over 25 years of work experience in the information technology, physical security and cybersecurity fields, including previously serving as the Company’s CSO, and holds the Certified Protection Professional, Professional Certified Investigator and Physical Security Professional certifications from ASIS International. The CIO serves on the Water Sector Coordinating Council (“WSCC”), an advisory body comprised of representatives from various U.S. water and wastewater organizations, which serves as a policy, strategy and coordination mechanism for the water sector on critical infrastructure security and resilience issues. In that role, the CIO partners with representatives from the Department of Homeland Security and the EPA on U.S. water and wastewater sector initiatives. The CIO is also the former Chair of the WSCC, the National Association of Water Companies’ Safety and Security Committee, and the ASIS Utility Security Council.
The Company’s security team provides oversight and policy guidance on physical, cyber and information security, as well as business continuity, throughout the Company’s operations. It is responsible for designing, implementing, monitoring and supporting effective physical and technical security controls for the Company’s physical assets, business systems and operational technologies. The Company’s security team also conducts annual and ongoing cybersecurity awareness training and education for the Company’s employees. In 2023, 100% of the Company’s active workforce completed mandatory cybersecurity training. By equipping employees with knowledge and skills, the Company strives to cultivate and maintain a cybersecurity-conscious culture within its workforce.
The Company’s cybersecurity risk assessment process involves considering risks associated with the nature of its business, receiving and processing inputs from internal and external stakeholders, monitoring industry trends and risks and engaging external advisors, to assist in aligning the Company’s cybersecurity processes with industry best practices. Risk assessments are conducted quarterly and annually to evaluate the effectiveness of the Company’s existing security controls and serve as the basis for additional safeguards, security controls and measures. Operational and technical security controls are deployed and integrated as safeguards against unauthorized access to the Company’s information systems. These controls are aimed at (i) assuring the continuity of business processes that are dependent upon automation, (ii) maintaining the integrity of the Company’s data, (iii) supporting regulatory and legislative compliance requirements, and (iv) maintaining safe and reliable service to the Company’s customers.
The Company has also implemented a vulnerability assessment program that is conducted at least annually and more frequently, depending on the nature of the risk. This process serves as a guiding enterprise-wide framework to outline the scope and procedures of the Company’s cybersecurity risk management processes. By prioritizing vulnerability management and continuously evaluating the Company’s internal and external environments for vulnerabilities, the Company aims to implement preventative measures to protect its information assets and technology-based infrastructure from cybersecurity threats. This approach helps to reduce the Company’s exposure to material cybersecurity threat risks.
Incident Response
The Company utilizes an established internal framework designed to assess promptly the severity and materiality of cybersecurity incidents based on predefined quantitative and qualitative criteria and to determine the appropriate level of response. Incidents are escalated to the relevant management teams based on their severity and materiality for prompt response and mitigation. The Company maintains a standing crisis response team comprised of individuals from various functional units, including without limitation Information Technology, Legal, Finance, Enterprise Risk Management, Operations and Communications, to respond to cybersecurity and physical security incidents, environmental incidents and health and safety emergencies, among others.
If a cybersecurity incident were to occur, the Company would establish a cross-functional incident response team to respond to the specific cybersecurity incident. The incident response team would consist of a subset of members from the standing crisis response team, including personnel with the most relevant experience related to the specific incident. This collaborative approach is intended to enable the Company to leverage expertise throughout the business to address cybersecurity events and to evaluate the potential financial, legal, operational and reputational implications of an incident, or series of related incidents. In considering the materiality of an event, related attacks, whether in terms of quantity or impact, are reviewed individually and in the aggregate to determine whether they may have a significant impact on the Company’s financial condition, results of operations or business strategy, either quantitatively or qualitatively.


38

Cybersecurity Governance
The Board of Directors is responsible for oversight of the Company’s cybersecurity program and the Company’s responses to cybersecurity risk. The Board of Directors has delegated to the Safety, Environmental, Technology and Operations (“SETO”) Committee of the Board of Directors responsibility for the oversight and review of technology policy, strategy and governance, and cybersecurity issues that could impact the Company’s operational performance or risk profile. The SETO Committee meets at least quarterly and receives reports from the CIO and CSO related to cybersecurity threats, trends and risks, and related mitigation activities. In addition, the SETO Committee and the Board of Directors receive reports of periodic external assessments and internal testing of the effectiveness of the Company’s cybersecurity program. The SETO Committee coordinates with the Audit, Finance and Risk Committee of the Board of Directors, as appropriate, on matters related to cybersecurity risk. The Audit, Finance and Risk Committee is responsible for, among other things, overseeing the adequacy and effectiveness of the Company’s system of internal controls and the Company’s risk assessment and management strategy, including with respect to cybersecurity risks.