Essential Utilities, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Essential Utilities, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 11:08:08 EST.

Filings

10-K filed on 2024-02-29

Essential Utilities, Inc. filed an 10-K at 2024-02-29 11:08:08 EST
Accession Number: 0001562762-24-000047

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecur ity Risk Management and Strategy In connection with our enterprise risk management process, we identify, prioritize and monitor key risks that may affect the Company, including risks from cyber threats. Our cybersecurity program is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We have enterprise-wide security policies, standards and controls that incorporate best practices in security engineering, technology architecture and data protection, which support regulatory compliance. Our program includes encryption, data masking technology, data loss prevention technology, authentication technology, entitlement management, access control, anti-malware software and transmission of data over private networks, among other procedures designed to protect against unauthorized access to information. We also implemented specialized programs, such as enterprise-wide communications, presentations, phishing simulations and focused training for specific roles, as well as a general cybersecurity training program required for all employees. We also engage third parties to perform regular reviews of our security framework controls to promote objectivity. Our processes to identify, assess and manage material risks of cyber threats include risks associated with third party service providers, including cloud-based platforms. We believe that these processes provide us with a comprehensive assessment of potential cyber threats. We maintain cybersecurity protection measures with respect to our information technology, including our customer data, and, in some cases, the monitoring and operation of our treatment, storage, pumping, and pipeline infrastructure. We rely on our information technology systems in connection with the operation of our business, especially with respect to customer service and billing, accounting and, in some cases, the monitoring and operation of our treatment, storage, pumping, and pipeline infrastructure. In addition, we rely on our systems to track our utility assets and to manage maintenance and construction projects, materials and supplies, and our human resource functions. To date, risks from cybersecurity threats have not materially affected the Company, and we do not believe they are reasonably likely to materially affect the Company, including its business strategy, financial condition or results of operations. Refer to Item 1A Risk Factors for additional information. Governance Role of Management - Our cybersecurity program is overseen by a cross-functional committee of senior business leaders and led by our Chief Information Officer and Information Security Director. This management committee meets bimonthly and is charged with overseeing our cybersecurity strategy, ensuring that cyber risk is managed, and that the program is aligned to business goals and objectives. Both our Chief Information Officer and Information Security Director have formal education in information technology; have combined, extensive experience working in the Company s information and technology function; and receive periodic training and education on cybersecurity-related topics. Role of the Board of Directors - The Board of Directors has a Risk and Investment Policy Committee ( RP Committee ) whose primary purpose is to assist the Board of Directors in fulfilling its oversight responsibilities. The RP Committee oversees a number of the Company s risk management practices, including cybersecurity risks. Our Chief Information Officer and Information Security Director provides updates on cybersecurity risks, threats, key developments in policies and practices, and related risk exposures to the RP Committee at least quarterly, and more often as needed. When covered during an RP Committee meeting, the Chairperson of the RP Committee reports on its discussions to the full Board of Directors. Additionally, management provides an update to the full Board of Directors at least once a year, and more often as needed. The Board of Directors annually reviews and approves the capital and operating budgets, ultimately reviewing and approving the amount spent on cybersecurity measures. 37 Table of Contents

Company Information