UNITIL CORP - (UTL)
10-K Filing Date: February 13, 2024
For purposes of the following disclosure, the terms “cybersecurity incident” and “cybersecurity threat” have the meanings given to such terms in Item 106 of Regulation S-K promulgated under the Securities Exchange Act of 1934.
Risk management and strategy
The Company has a Cybersecurity Plan for assessing, identifying, and managing material risks from cybersecurity threats. The intent of the Cybersecurity Plan is to provide a proactive and systemic approach to meet the evolving requirements for cybersecurity and related compliance in the utility industry. The Cybersecurity Plan’s objectives include:
·adopting and using established cybersecurity standards and industry best practices;
·protecting personally identifiable information;
·protecting infrastructure operations, including Supervisory Control and Data Acquisition (SCADA) systems at electric substations and natural gas plants;
·securing customers’, employees’, and the Company’s data;
·complying with North American Reliability Corporation Critical Infrastructure Protection Reliability Standards and standards for the protection of Bulk Electric System Cyber Systems; and
·continually assessing and, as necessary, enhancing the Company’s cybersecurity through a managed process integrated with the Company’s risk management principles.
The Cybersecurity Plan includes annual assessments using (i) the Department of Energy’s Cybersecurity Capability Maturity Model, (ii) the National Institute of Standards and Technology Cybersecurity Framework, and (iii) the Center for Internet Security Controls. The Company uses the results of these assessments to benchmark the Company’s cybersecurity posture, to identify risks from cybersecurity threats, to prioritize any such risks that may have potential material effects on the Company, and to establish effective controls to manage, mitigate and remediate such risks.
14
The Cybersecurity Plan is part of the Company’s corporate Enterprise Risk Management (ERM) program. The Company’s ERM program includes an annual review of new or emerging risks (including risks from cybersecurity threats), the assessment of such risks and their potential effects on the Company, the velocity of potential cybersecurity incidents resulting from such risks, and risk mitigation strategies.
The Company maintains a Cybersecurity Employee Awareness Program, which provides targeted education and mandatory quarterly training to employees. The Cybersecurity Employee Awareness Program also conducts monthly phishing test exercises with employees, which includes an escalation procedure for repeated failures. Additionally, the Company performs an annual cyber knowledge assessment of all employees to address any identified knowledge gaps.
The Company engages or otherwise collaborates with cybersecurity consultants, cybersecurity experts, energy sector leaders, and other third parties in connection with the Cybersecurity Plan. Unitil Corporation also is a member of the cyber committees of both the American Gas Association and the Edison Electric Institute.
Third party entities that provide hardware, software or related support services to the Company or hold the Company’s customer data represent material cybersecurity risks to the Company. To help mitigate those risks, the Company has robust procurement processes and requirements for such third-parties (which include a formal assessment of the third-party’s cyber posture, cyber liability insurance, and breach reporting protocols) that help the Company to oversee and identify cybersecurity risks associated with its use of such third party entities.
During the fiscal year ended, and as of, December 31, 2023, there were no risks from cybersecurity threats (including as a result of previous cybersecurity incidents) that have materially affected or are reasonably likely to materially affect the Company (including its business strategy, results of operations, or financial condition).
Governance
Unitil Corporation’s Board of Directors (the “Board”) is responsible for oversight of the Company’s ERM program, including risks from cybersecurity threats. The Board has not assigned that responsibility to any committee or subcommittee of the Board. The Company’s management generally provides the Board with updates on and assessments of ongoing and emerging risks from cybersecurity threats at regularly scheduled Board meetings.
The Company’s cybersecurity management team is responsible for assessing and managing the Company’s material risks from cybersecurity threats, including implementing the Cybersecurity Plan. The team includes the Company’s Chief Technology Officer and Vice President of Information Technology (the “CTO”), the Director of Information Security, and two Cybersecurity Analysts, all of whom have an educational background relevant to, professional experience in, or other expertise in cybersecurity. This team is supported by the Company’s Information Technology department. The CTO holds a Master of Business Administration and a Bachelor of Science in Electrical Engineering with over 30 years of professional experience in the utility industry with extensive management experience in engineering, operations and information technology. The CTO also assumes responsibilities as the Company’s Chief Information Security Officer and its Chief Cyber Security Officer. The CTO has overall management responsibility for the Company’s cybersecurity. The CTO reports to the Company’s Chief Executive Officer. The Director of Information Security holds a Bachelor of Science in Computer Science and a Masters Certificate in Cyber Security with a concentration in Power Systems and has over 30 years of experience in the information technology field. The Director of Information Security has primary responsibility for the cyber security program including threat and vulnerability management, vendor security posture assessment, Industrial Control System (ICS) and SCADA infrastructure protection at electric substations and natural gas plants, as well as leading the Cyber Incident Response Team. One of the Cybersecurity Analysts has a Bachelor of Science in Information Technology and the other has a Bachelor of Science in Criminal Justice / Computer Crime and Digital Forensics, and the Cybersecurity Analysts have a combined 25 years of experience in various information technology and cyber roles.
The Company’s cybersecurity management team assesses and manages the Company’s material risks from cybersecurity threats through or by:
·active monitoring of cyber threat alerts, warnings, advisories, notices, vulnerability assessments, incident bulletins, security briefings, reports and white papers from industry and national organizations, including: downstream
15
Natural Gas Information Sharing and Analysis Center; Electricity Information Sharing and Analysis Center; Cybersecurity and Infrastructure Security Agency; and Federal Bureau of Investigation;
·threat and vulnerability management;
·vendor security posture assessment;
·Industrial Control System and Supervisory Control and Data Acquisition infrastructure protection at electric substations and natural gas plants; and
·leading the Company’s Cyber Incident Response Team.
In addition, the Company uses (i) a Security Operations Center vendor with 24x7 monitoring and response capabilities to identify any suspicious activity on the Company’s networks and (ii) a security consulting firm for assessments, penetration testing and incident response. In the event of a cybersecurity threat, the CTO and these parties would collaborate to assess and manage the risk with ultimate responsibility residing with the Board.
Also, in the event of a cybersecurity threat or cybersecurity incident, the Company’s cybersecurity management team will conduct an investigation and impact analysis and, as necessary, the CTO will activate the Company’s Cyber Incident Response Team. The Cyber Incident Response Team is a subset of the Company’s Crisis Response Team, which has responsibility for operational and business resilience, as well as tactical and strategic response. A foundational aspect of the Crisis Response Team is prompt and comprehensive communications to all concerned parties, both internal and external, including direction for management to inform the Board about risks from cybersecurity threats.
In the event that a cybersecurity incident occurs which results in damage to the Company’s data or infrastructure, the Cyber Incident Response Team would follow the Company’s Cyber Incident Response Plan. The Cyber Incident Response Plan was developed using the guidelines described in the National Institute of Standards and Technology Special Publication 800-61 Revision 2 Computer Security Incident Handling Guide, has been reviewed and assessed by outside experts, is updated annually, and is used to train for cybersecurity incidents. The Cyber Incident Response Plan details the identification, containment, eradication and recovery processes specific to the Company’s environment with prioritization of critical assets. The Cyber Incident Response Plan also details emergency actions required to isolate and protect industrial control system environments, should the incident pose a risk to electric or gas operations. The Company participates in annual industry drill exercises to test the Cyber Incident Response Plan.
The Company’s determination of the materiality of a cybersecurity incident would generally include an evaluation of the incident’s effect on the Company (including (i) its business strategy, results of operations, or financial condition, (ii) the integrity, confidentiality, resiliency, and security of the Company’s networks and systems, and (iii) the Company’s operations).