ITC Holdings Corp. - (ITC)

10-K Filing Date: February 09, 2024
ITEM 1C. CYBERSECURITY.
In response to cybersecurity threats to our business, which include threats to our operations, critical infrastructure assets, information systems and data, we have developed a comprehensive cybersecurity risk management program.
Governance
Primary responsibility for assessing, monitoring, and managing our cybersecurity risks is overseen by our Chief Information Officer (CIO). Our CIO has maintained certification as a Certified Information Security Manager since 2006 and brings extensive experience in information technology and in-depth knowledge in developing and executing our cybersecurity strategies. At the direction of the Board of Directors, our management has developed a cybersecurity policy which includes the establishment of, and ongoing monitoring by, a cybersecurity steering committee led by the CIO and comprised of executives from key departments, including legal, finance, accounting, operations, engineering and human resources. The committee meets quarterly and on an as-needed basis and is charged with overseeing and assisting the information technology department in directing cybersecurity activities to protect the Company, including its operations, systems and related information. It also oversees and reviews policies, procedures, and internal controls for cybersecurity as well as the cybersecurity risk management program.
Given the importance to our business and the heightened risk, the Board of Directors provides oversight of management’s response to cybersecurity risks. Management, including our CIO, provides the Board of Directors periodic updates on cybersecurity, including updates on cyber goals, cybersecurity risks, and related risk mitigation strategies. As part of our enterprise risk management process, an annual risk assessment is completed by a cross-functional group of management led by our finance department, and includes members of our information technology department for the cybersecurity assessment section. The results of the risk assessment, as well as mitigation strategies, are discussed with the Board of Directors.
Risk Management and Strategy
In addition to the enterprise risk management process, we utilize an additional cybersecurity risk management process that assesses the risks and protections of several key assets within the organization. As a result of these assessments and as the threat landscape becomes increasingly sophisticated, we continue to evolve our defensive strategy by deploying new technology, continuing education of our user community, and
23

advancing our protections against ongoing cybersecurity risks and threats. We leverage threat intelligence and external industry practices for continuous improvement and refinement of our cybersecurity program.
Given the regulatory framework under which we operate, we follow a cybersecurity incident response plan that is tested annually in compliance with NERC’s critical infrastructure protection standards and includes external disclosure procedures. This plan identifies the members of our cybersecurity incident response team and the criteria to identify, classify and respond to a cybersecurity incident. Cybersecurity incidents are communicated to internal stakeholders, such as management and the Board of Directors, and external stakeholders based on severity of the incident in accordance with the cybersecurity response plan.
Our CIO oversees a team of cybersecurity professionals in the cyber security operations center with certifications in cybersecurity engineering and cybersecurity operational areas. We also utilize internal audits to periodically assess the effectiveness of our cybersecurity processes and external parties to periodically conduct threat and vulnerability assessments. We continue to invest in training for all employees, including training for our cybersecurity professionals on the specific technologies utilized within the company and development of these individuals to keep their knowledge current. Additionally, we have a vendor risk management program to review and assess cybersecurity risks related to utilizing information technology vendor products and services for new and existing vendors that is subject to ongoing monitoring.
We are not aware of any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect the Company, our business strategy, results of operations or financial condition.