Page last updated on April 11, 2024
TUCSON ELECTRIC POWER CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-09 06:13:25 EST.
Filings
10-K filed on 2024-02-09
TUCSON ELECTRIC POWER CO filed an 10-K at 2024-02-09 06:13:25 EST
Accession Number: 0000100122-24-000002
Item 1C. Cybersecurity.
In response to ever-changing cybersecurity threats, TEP maintains a comprehensive cybersecurity risk management program for its operations, information systems, data, and critical infrastructure. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected TEP, including its business strategy, results of operations, or financial condition. See Part I, Item 1A Risk Factors of this Form 10-K for a discussion of cybersecurity threats that could have a material impact on TEP, which should be read in conjunction with this Item 1C for a detailed description of the risks related to cybersecurity.
Risk Management and Strategy
TEP’s cybersecurity risk management program is informed by the National Institute of Standards and Technology Cybersecurity Framework. This program includes dedicated investments in people, processes, and technology to manage and reduce cybersecurity risk, including third-party threats. Multiple layers of security controls are deployed across asset and technology classes with a special emphasis on the reliable and safe operation of TEP’s utility systems. Cybersecurity controls employed include firewalls, access management, multi-factor authentication, backups, endpoint protection, threat intelligence, and security monitoring. TEP continues to adjust and refine this program in response to the shifting threat landscape, third-party assessments, and industry best practices.
Cybersecurity risk is tactically and strategically managed by TEP’s Enterprise Cybersecurity team comprised of experienced professionals with various cybersecurity certifications, including Certified Information Systems Security Professional (CISSP) and Global Industrial Cyber Security Professional (GICSP). This team uses governmental and industry threat intelligence, such as the Electricity Information Sharing and Analysis Center, Cybersecurity and Infrastructure Security Agency, and internal cybersecurity tools to proactively identify, assess, manage, and respond to risk, including network monitoring and vulnerability scanning.
TEP regularly conducts internal evaluations and testing of its design and operational effectiveness of security controls and is subject to external independent cybersecurity audits including those associated with the NERC Critical Infrastructure Protection standards. TEP engages third-party services to provide consulting on best practices to address new challenges. TEP participates in regular cybersecurity roundtable discussions with peer cybersecurity professionals to review current threats and opportunities, lessons learned, and best practices. TEP’s Compliance Program Management Office provides additional ongoing internal oversight of response to cybersecurity regulation. Third-party cybersecurity risk is addressed through vendor risk management processes and includes technology reviews and contractual specifications. Third-party risk management is designed to reduce risk associated with the use of third-party providers.
Cybersecurity training is conducted on a regular basis and includes awareness campaigns, in-person training, and simulations. Users of TEP’s information systems are required to comply with a comprehensive internal acceptable use policy.
TEP employs and regularly exercises UNS Energy’s Cybersecurity Incident Response and Reporting Plan. This plan identifies key roles and responsibilities applicable during a cybersecurity incident and classifies incidents according to qualitative and quantitative factors that are continuously reviewed as information evolves over the course of an incident. The plan also identifies certain reporting obligations and may trigger additional response processes such as activation of UNS Energy’s Data Breach Response Plan.
Governance
Cybersecurity risk is identified and tracked through TEP’s Enterprise Risk Management (ERM) program that consists of formal vetting and quarterly reporting to the UNS Energy Audit and Risk Committee and the UNS Energy Board. The UNS Energy Board Environmental, Safety, and Security Committee oversees cybersecurity strategy, performance, and risk, and timely reviews cybersecurity events, depending on severity, even if not material to TEP. The UNS Energy Board is notified of significant cybersecurity events as outlined in UNS Energy’s Cybersecurity Incident Response and Reporting Plan.
TEP’s Security Steering Committee provides management oversight to its cybersecurity strategy, performance, and risk. This committee also reviews significant cybersecurity events, including the scope of the incident and the associated prevention, detection, mitigation, and remediation efforts. This committee includes the Chief Information Officer, Chief Financial Officer, Chief Legal Officer, Senior Director of IT Operations and Enterprise Security, and others with the requisite cybersecurity experience, training, and skills who oversee TEP’s ERM program. The Senior Director of IT Operations and Enterprise Security holds CISSP and GICSP certifications.
Company Information
| Name | TUCSON ELECTRIC POWER CO |
| CIK | 0000100122 |
| SIC Description | Electric Services |
| Ticker | |
| Website | |
| Category | Non-accelerated filer |
| Fiscal Year End | December 30 |