MIDDLESEX WATER CO 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

MIDDLESEX WATER CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:47:26 EST.

Filings

10-K filed on 2024-02-29

MIDDLESEX WATER CO filed an 10-K at 2024-02-29 17:47:26 EST
Accession Number: 0001174947-24-000281

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Program The Company s cybersecurity program is an integral element of the Company’s overarching strategic plan. The robustness of the cybersecurity initiatives directly impact the realization of the Company’s mission, vision, and goals. Aligned with the National Institute of Standards and Technology Cyber Security Framework, the Company employs a comprehensive “defense-in-depth” strategy, deploying multiple security measures to safeguard its operational environment and data integrity systems. The Company continually evaluates and refines its cybersecurity program in response to key factors such as evolving threat landscapes, program maturation, gap analysis, and guidance from external security consultants. The Company s cybersecurity program relies on three key pillars: People, Process and Technology (PPT) to deliver a robust cybersecurity program. The cybersecurity program includes various aspects of PPT, including, but not limited to: Technology: Encryption, threat management, backups, monitoring, investigative support utilizing artificial intelligence embedded tools; Identity and Access Control Management Tools: Multi-factor authentication, monitoring and alerting of privilege account access; Cybersecurity Processes: Vulnerability scanning, penetration testing, and periodic assessments conducted by external security consultants; Incident Response Training: Regularly assessed incident response preparedness through various incident response and disaster recovery exercises; and Cyber Risk Awareness and Training: Frequent simulation exercises to heighten awareness of cybersecurity threats and educate our user community on preventative measures and reporting protocols. All employees participate in required periodic training with respect to cybersecurity risk and risk mitigation. Our Chief Technology Officer (CTO), with over 25 years of experience in various disciplines of information technology, oversees the cybersecurity program. Reporting to the Chief Executive Officer, the CTO provides regular briefs to the Board of Directors (the Board) and executive management, informing them about prevention, detection, mitigation, and remediation of cybersecurity incidents, as well as ongoing risks and threats. In our industry, the continuous functioning of information systems is of the utmost importance. Leveraging information technology systems, we collect, process and safeguard sensitive data and utilize automated tools to operate our plants. Identified as a critical risk factor, cybersecurity threats encompass potential hazards such as malicious code, employee misconduct, advanced persistent threats, fraud, and phishing attacks. These risks have the potential to lead to information technology system failures, threat to water supply, or compromise of sensitive information. 19 Our cybersecurity program aims to protect the uninterrupted availability of critical information technology resources. Regular assessments, conducted both internally and by third parties, evaluate our program against industry standards, including the National Institute of Standards and Technology Cybersecurity Standard and the Risk Management Framework. Although we have not experienced cybersecurity breaches or incidents that have significantly impacted our financial condition, results of operations, or business strategy, the effectiveness of our measures to prevent, detect, mitigate, or recover is based on currently known threats and recovery methods. There is no guarantee that cybersecurity breaches or incidents will not impact our business operations, strategy, financial condition, or operations. The ever-evolving landscape of cybersecurity threats introduces ongoing challenges. The Company recognizes the increasing frequency and sophistication of these threats. Despite implementing measures to secure operational and technology systems and fostering a culture of continuous improvement, the dynamic nature of cyber-attacks and vulnerabilities implies that these defenses may not be foolproof. Cybersecurity Risk Management Program and Strategy Cybersecurity risk management strategy is an integral component of our operations and our overall risk management process. Recognizing the dynamic nature of cybersecurity threats, we have implemented a comprehensive risk management program that aims to identify, assess, and mitigate potential risks. Our strategy involves a proactive approach, incorporating preventative measures, continuous monitoring, and adaptive response mechanisms. We prioritize the safeguarding of our operational network environment, sensitive data, including confidential business information and personal details of our customers and employees. Regular assessments conducted both internally and by third parties ensure our cybersecurity program aligns with industry standards. In addition to a dedicated cybersecurity team, we employ a defense-in-depth strategy, utilizing multiple security measures to protect our information technology system. Collaboration with third-party experts, industry peers and ongoing training initiatives ensures our cybersecurity strategy remains robust and responsive to evolving threats. We understand the importance of maintaining a vigilant and adaptive stance in the ever-evolving landscape of cybersecurity to safeguard our business operations, financial stability, and as a direct result, our overall success. Key elements of our cybersecurity risk mitigation approach are comprised of: A dedicated cybersecurity team; Collaboration with a third-party managed detection and response company for 24/7 monitoring and response; Cybersecurity insurance to cover a portion of losses and damages resulting from cyber-attacks or security breaches; An incident response team that is comprised of various departments required for an effective response; Conducting periodic drills and exercises, including industry collaborations and participation from the executive team; Continuous information security awareness training and phishing simulation exercises; Regular security assessments to address evolving risks and threats; Deployment of automation solutions to strengthen detection and response capabilities; and Utilizing services offered by the United States Department of Homeland Security to assist with resiliency planning. 20 Third-Party Relationships The Company utilizes partners and third-party service providers to help deliver safe and reliable water and wastewater services across its regulated operations. In connection with these relationships, we perform due diligence, cyber risk scoring, cybersecurity related contractual obligations, and periodic reviews of third-party control environments to ensure alignment with the Company’s risk exposure, business requirements, and risk tolerances. We extend our cybersecurity focus to third-party service providers by evaluating and monitoring their cybersecurity risks. High-risk vendors undergo continuous monitoring, and we maintain contractual agreements that mandate our third-party providers commitment to managing cybersecurity risks, providing incident notifications, and being subject to cybersecurity audits. Cybersecurity Governance The Corporate Governance and Nominating Committee of the Board is tasked with overseeing cybersecurity risk. Management, including the CTO, provides regular reports to the Board covering aspects such as risks, threats, the evolving threat landscape, enhancements to the cybersecurity program, and the preparedness of internal responses.

Company Information