Otter Tail Corp - (OTTR)
10-K Filing Date: February 14, 2024
ITEM 1C.CYBERSECURITY
CYBERSECURITY RISK
The operation of our businesses is dependent on the secure functioning of our computer infrastructure and digital information systems. Furthermore, all our businesses require us to collect and maintain sensitive customer data, as well as confidential employee and shareholder information, which is subject to electronic theft or loss. We also use third-party service providers to electronically process certain of our business transactions and perform certain cyber-related functions, such as system monitoring and critical infrastructure protection and maintenance. The confidentiality, integrity, and availability of information systems, both ours and those of our third-party service providers, are vulnerable to security breaches by computer hackers and cyber terrorists and the negligent or intentional breach of established controls and procedures or mismanagement of confidential information by employees. We may also be impacted by attacks and data security breaches of financial institutions, merchants or other business partners. As part of our utility operations, we own electric generation, transmission and distribution facilities that are part of an interconnected regional grid, the operation of which is dependent on information technology systems. Parties who wish to disrupt the U.S. bulk power system or our utility operations could view our computer systems, software or networks as attractive targets for cyber-attack. Although we have not historically experienced material cyber incidents, we and other utilities are subject to cyber-attacks of increasing frequency and sophistication, and any significant interruption or failure of our information systems or any significant breach of security due to cyber-attacks, hacking or internal security breaches, could adversely affect our business and our financial condition, operating results and liquidity.
RISK MANAGEMENT AND STRATEGY
Our cybersecurity policies and practices, which are based on the Center for Information Security (CIS) Critical Security Controls, are governed by our information and cybersecurity governance program. The CIS Critical Security Controls are a set of 18 cybersecurity-related controls which aid companies in designing an effective control environment and are viewed as best practices by organizations worldwide. A significant number of our cybersecurity policies and practices associated with our electric utility operations are also subject to regulation by multiple governmental and other agencies.
Our information and cybersecurity governance program is the foundation of our cybersecurity risk management strategy. The program includes policies which authorize and guide the development of procedures, standards, and guidelines for personnel activities, incident prevention and reporting, and compliance monitoring. Cybersecurity policies, procedures and controls are reviewed and approved by our Information and Cybersecurity Program (ICSP) group annually, with amendments made as deemed necessary for any updates for regulatory compliance and best practices, legal privacy protection and information protection, or to reflect current technology or new methods for ensuring secure business procedures.
We perform a corporate risk assessment annually, which includes specific consideration and assessment of cybersecurity risk. As part of our risk assessment process, we incorporate results from procedures performed by third-party consultants. We utilize third-party consultants to complete risk quantification analysis and perform penetration and vulnerability testing and monitoring, as well as overall cybersecurity control testing. Potential risks associated with the use of third-party service providers are monitored and managed through an established service provider management policy. Service providers must meet certain security requirements such as security incident or data breach notification and response protocols, data encryption requirements, and data disposal commitments.
In managing cybersecurity risk, we employ a defense-in-depth strategy and regularly monitor our cyber environment for potential new threats. Our strategy includes employee training and awareness on cybersecurity risks and related best practices, required password complexity, the use of multi-factor authentication, information security protocols, anti-virus and anti-ransomware software, a patch management program, the execution of tabletop exercises on a periodic basis, established policies and protocols for cyber incident response planning and reporting, and ongoing internal cybersecurity testing.
GOVERNANCE
At the management level, our cyber program is managed by our ICSP group. The ICSP group consists of Information Technology (IT) managers, IT security subject matter experts, and internal audit personnel and is led by our Vice President of IT who has more than 25 years of experience in IT, enterprise security, and cyber risk management, a Bachelor's degree of Science, CIS, Information Technology and Master's of Business, Information Systems, and holds Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Data Privacy Solution Engineer designations. The ICSP group is in charge of developing, maintaining, and measuring compliance with the information and cybersecurity governance program, as well as monitoring cyber incidents and implementing mitigation measures as part of an evolving, dynamic external environment. Our approach to cybersecurity incident reporting and response planning is governed by our incident response plans established for
23
each of our business units. The plans outline the processes related to detecting, assessing, investigating, mitigating, and remediating cyber incidents, as well the communication and reporting plan and the required personnel to be included in the process and communications.
Our cybersecurity risk management is integrated into our overall risk management system through our internal business risk management process. Our business risk management group works closely with our ICSP group to regularly assess and identify possible material risks from cybersecurity threats, including, but not limited to, financial, operations, reputational and regulatory impact to the Company, as well as impacts on our employees and customers. Their risk assessment results are reported to the Executive Risk Committee on a quarterly basis. The Executive Risk Committee, which is comprised of our executive officers, meets quarterly to identify and assess short-, medium- and long-term risks, and to ensure adequate mitigation strategies are implemented. During these meetings, the Executive Risk Committee reviews significant and emerging risks, including cybersecurity risks, and assesses the Company’s plans to mitigate or otherwise manage and monitor those risks.
Our Board of Directors provides oversight of our cybersecurity program through quarterly and annual risk review and cybersecurity reporting. On a quarterly basis, cybersecurity risk and mitigation strategies are reviewed as part of our business risk management group's reporting to the Board of Directors, which includes the reporting of significant business risks, including cybersecurity mitigation strategies employed to manage these risks, and a review of any emerging risks. Annually, our Vice President of IT provides an overview of our cybersecurity program to the Board of Directors, including a review of key strategies, emerging risks and a summary of key performance indicators. In addition, annually the Board of Directors reviews the results of our penetration and vulnerability testing.