PUGET ENERGY INC /WA 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

PUGET ENERGY INC /WA reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 16:43:26 EST.

Filings

10-K filed on 2024-03-05

PUGET ENERGY INC /WA filed an 10-K at 2024-03-05 16:43:26 EST
Accession Number: 0001085392-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY PSE maintains a comprehensive business continuity plan that includes the identification, assessment and management of risks arising from various avenues, including cyber. Business continuity includes action plans to respond to and remedy information technology (IT) outages, attacks, and other cyber threats, which are maintained between two specific plans, the IT disaster recovery plan and the cybersecurity incident response plan (CSIRP). The CSIRP specifies guidance for various cyber related risks to ensure business continuity and timely reporting of incidents to various governing bodies, including the SEC. The CSIRP is a perpetually updated plan that is managed by the Chief Information Security Officer (CISO) and Chief Information Officer (CIO). PSE’s CIO has served in various roles in IT and IT security for over 15 years, including serving as Chief Operating Officer or Chief Information Officer primarily in the financial services industry. Further, the CIO holds an undergraduate degree in computer science. PSE’s CISO has over 15 years of experience managing IT security across different industries and companies. Additionally, the CISO holds an undergraduate degree and has been a Certified Information Systems Security Professional for over 15 years. As part of the CSIRP, PSE maintains a standalone team of IT security and risk management professionals in the Cyber Defense Center (CDC). The CDC is responsible for implementing the CSIRP, including the identification and ongoing monitoring and response to all cyber events and risks, including risks associated with the Company s use of third-party service providers, which impact the Company. To identify, defend, detect and respond to cyber events, PSE performs various on-going activities, such as, proactive privacy and cybersecurity reviews of systems and applications, monitoring threat intelligence information feeds, penetration testing to test security controls, conducting employee trainings, and monitoring emerging laws and regulations related to data protection and information security. Additionally, the Company conducts tabletop exercises to simulate our response to cybersecurity incidents. Depending on the nature of the incident, PSE may engage consultants, assessors, or other third-parties to assist in the assessment, testing, remediation, and/or management of cyber incidents. Once cyber incidents are identified in the CDC, a risk assessment is performed as part of the CSIRP by the CDC. The risk assessment includes quantitative and qualitative considerations determined by a committee of individuals, including, among others, the Controller, CISO and Chief Ethics and Compliance Officer, that report to the Chief Financial Officer, CIO, and Senior Vice President General Counsel and Chief Sustainability Officer. Any cyber incidents that exceed set thresholds in the CSIRP are then escalated to the aforementioned committee for a materiality assessment and disclosure considerations. The Company’s Audit Committee oversees management’s process for identifying and mitigating cybersecurity risks. Periodically, the CISO presents cyber incidents and risks to the audit committee as part of the board of directors’ oversight of risks from cybersecurity threats. The Audit Committee’s oversight includes understanding existing and new cybersecurity risks and status on management’s response and mitigation plans. As of December 31, 2023, the Company was not aware of (i) any cybersecurity incidents, or (ii) any specific cybersecurity threats, that, in either case, materially affected or are reasonably likely to materially affect the business, strategy, results of operations, or financial condition of the Company. However, we can provide no assurance that there will not be cybersecurity threats or incidents in the future or that they will not materially affect PSE, including our business, strategy, results of operations, or financial condition. For more information regarding risk from cybersecurity threats, see Item 1A. “Risk Factors” included in this report.

Company Information