ARTESIAN RESOURCES CORP 10-K Cybersecurity GRC - 2024-03-18

Page last updated on April 11, 2024

ARTESIAN RESOURCES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-18 16:49:11 EDT.

Filings

10-K filed on 2024-03-18

ARTESIAN RESOURCES CORP filed an 10-K at 2024-03-18 16:49:11 EDT
Accession Number: 0000863110-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity
Item 1C - Cybersecurity. Risk Associated with Management Turnover in our management team could have an adverse impact on our business or the financial market s perception of our ability to continue to grow. Our success depends significantly on the continued contribution of our management team both individually and collectively. The loss of the services of any member of our management team or the inability to hire and retain experienced management personnel could harm our operating results. In addition, turnover in our management team could adversely affect the financial market s perception of our ability to continue to grow. 15 Table of Contents Risks Related to Our Common Stock There can be no assurance that we will continue to pay dividends in the future or, if dividends are paid, that they will be in amounts similar to past dividends. Dividends on our common stock will only be paid if and when declared by our Board of Directors. Our earnings, financial condition, capital requirements, applicable regulations and other factors, including the timeliness and adequacy of rate increases, will determine both our ability to pay dividends on common stock and the amount of the dividends declared by our Board of Directors. There can be no assurance that we will continue to pay dividends in the future or, if dividends are paid, that they will be in amounts similar to past dividends. Holders of Class A Non-Voting Common Stock have no voting rights. As a result, holders of Class A Non-Voting Common Stock will not have any ability to influence stockholder decisions. We have two classes of common stock, Class A Non-Voting Common Stock and Class B Common Stock. Under our Restated Certificate of Incorporation, the right to vote for the election of directors and other stockholder matters is exercised exclusively by the holders of Class B Common Stock. The holders of our Class A Non-Voting Common Stock do not have voting rights on any matters that are submitted to a vote of stockholders, including with respect to the election of directors and other matters voted upon by stockholders, except as required by the Delaware General Corporation Law. The principal stockholders have significant control over the outcome of most fundamental corporate matters. The price of our common stock may be volatile and may be affected by market conditions beyond our control. The trading price of our common stock may fluctuate in the future based on a variety of factors, many of which are beyond our control and unrelated to our financial results. Factors that could cause fluctuations in the trading price of our common stock include but are not limited to volatility of the general stock market or the utility stock index, regulatory developments, general economic conditions and trends, actual or anticipated changes or fluctuations in our results of operations, actual or anticipated changes in the expectations of investors or securities analysts, actual or anticipated developments in our competitors businesses or the competitive landscape generally, litigation involving us or our industry, major catastrophic events or sales of large blocks of our stock. Furthermore, we believe that stockholders invest in public utility stocks in part because they seek reliable dividend payments. If there is an oversupply of stock of public utilities in the market relative to demand by such investors, the trading price of our common stock may decrease. Additionally, if interest rates rise above the dividend yield offered by our common stock, demand for our stock and its trading price may also decrease. Risk Related to Pandemics Our business, results of operations, financial condition, cash flows and stock price may be adversely affected by pandemics, epidemics or other public health emergencies. Our business, results of operations, financial condition, cash flows and stock price may be adversely affected by pandemics, epidemics or other public health emergencies. We are considered an essential utility service company, as defined by the U.S. Department of Homeland Security. We believe we will continue to operate our business consistent with any federal guidelines or state and local orders, however, the outbreak of pandemics, epidemics or other public health emergencies and any preventive or protective actions taken by governmental authorities may have an adverse effect on our operations. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY There have been an increasing number of cyberattacks on companies around the world, which have caused operational failures, compromised sensitive corporate or customer data, and/or resulted in significant financial damages. These attacks have occurred over the internet, through malware, viruses or attachments to e-mails, or through inside actors with access to systems within the organization. Risk Management and Strategy We have implemented security measures and will continue to devote resources to address security vulnerabilities in an effort to prevent cyberattacks. All employees receive cybersecurity training and other education regarding their use of computers, information technology, and sensitive data. We utilize third parties to support our information technology, or IT, resources, including disaster recovery intended to safeguard our ability to access and use our IT resources during a disaster or cyber incident. Our business continuity plans are evaluated against evolving security and service level standards, which includes evaluating those cybersecurity threats associated with our use of key third party service providers. 16 Table of Contents Our cybersecurity management process consists of utilizing a combination of employee education, preventative controls, detective controls, and periodic third-party cybersecurity testing. We have installed and utilize enterprise scale technology to support an appropriate cybersecurity posture including: endpoint detection and response, firewalls, security information and event management, email security, multifactor authentication, and vulnerability management. We receive cybersecurity related alerts from our membership in a number of industry groups. These alerts are evaluated and in the event an alert requires action within our environment, such actions are taken promptly. Our process and cybersecurity posture is refined based on the results of periodic third party cybersecurity assessments. We engage with the Cybersecurity and Infrastructure Security Agency through their cyber hygiene service offerings. Cybersecurity is addressed in IT s reports to the Corporate Automation Steering Committee, which consists of all Officers and the Director of Customer Service, as well as in IT s reports to the Board of Directors. Should a cyber event occur, depending on the severity of an event, our cyber incident reporting process includes informing, as early as practicable, our senior corporate management. Governance The Audit Committee of the Board of Directors, as overseen by the full Board of Directors, is responsible for oversight of cybersecurity risk. Our IT executives report on our cybersecurity practices and risks at each meeting of the Audit Committee of our Board of Directors. In addition, our IT executives provide periodic updates on cybersecurity risks to our management at regularly held executive committee meetings. Should any cybersecurity threat or incident be detected, our IT executives would timely report such threat or incident to the management executive committee and provide regular communications and updates to the executive committee throughout the incident and any subsequent investigation, in order that the impact, materiality, and reporting requirements of such incident are appropriately identified and assessed for further necessary or appropriate action to be taken. Any incident identified by the management executive committee as having a material impact would be promptly escalated to all members of the Board of Directors. Should there be an incident which does not rise to the level of being material, such incident would, at minimum, be included in the subsequent IT reports to both the management executive committee and the Board of Directors. We believe we are appropriately staffed to support a healthy cybersecurity posture. All IT personnel have a combination of professional experience, education, and/or certifications for their area of responsibility. For IT leadership, our Chief Information Officer earned a Masters of Business Administration and also a Master of Science degree in Information Systems & Technology Management. Our Vice President of Information Technology earned a Bachelor of Science in Computer Science and Business and a Bachelor of Science in Business and Economics. The Vice President of Information Technology is also a Certified Public Accountant, a Certified Information Systems Auditor, and a Chartered Global Management Accountant. Our Director of Cybersecurity earned an Associates Degree in Computer Network Engineering and is a Certified Information Systems Security Professional. To date, there have been no risks identified from cybersecurity threats or previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the company. However, despite all of the above aforementioned efforts, a cyberattack, if it occurred, could cause water or wastewater system operational problems, disrupt service to our customers, compromise important data or systems or result in an unintended release of customer or other confidential information. See Item 1A. Risk Factors Risks Related to Cybersecurity and Technology for additional discussion of cybersecurity risks impacting our Company. 17 Table of Contents
ITEM 1C. CYBERSECURITY There have been an increasing number of cyberattacks on companies around the world, which have caused operational failures, compromised sensitive corporate or customer data, and/or resulted in significant financial damages. These attacks have occurred over the internet, through malware, viruses or attachments to e-mails, or through inside actors with access to systems within the organization. Risk Management and Strategy We have implemented security measures and will continue to devote resources to address security vulnerabilities in an effort to prevent cyberattacks. All employees receive cybersecurity training and other education regarding their use of computers, information technology, and sensitive data. We utilize third parties to support our information technology, or IT, resources, including disaster recovery intended to safeguard our ability to access and use our IT resources during a disaster or cyber incident. Our business continuity plans are evaluated against evolving security and service level standards, which includes evaluating those cybersecurity threats associated with our use of key third party service providers. 16 Table of Contents Our cybersecurity management process consists of utilizing a combination of employee education, preventative controls, detective controls, and periodic third-party cybersecurity testing. We have installed and utilize enterprise scale technology to support an appropriate cybersecurity posture including: endpoint detection and response, firewalls, security information and event management, email security, multifactor authentication, and vulnerability management. We receive cybersecurity related alerts from our membership in a number of industry groups. These alerts are evaluated and in the event an alert requires action within our environment, such actions are taken promptly. Our process and cybersecurity posture is refined based on the results of periodic third party cybersecurity assessments. We engage with the Cybersecurity and Infrastructure Security Agency through their cyber hygiene service offerings. Cybersecurity is addressed in IT s reports to the Corporate Automation Steering Committee, which consists of all Officers and the Director of Customer Service, as well as in IT s reports to the Board of Directors. Should a cyber event occur, depending on the severity of an event, our cyber incident reporting process includes informing, as early as practicable, our senior corporate management. Governance The Audit Committee of the Board of Directors, as overseen by the full Board of Directors, is responsible for oversight of cybersecurity risk. Our IT executives report on our cybersecurity practices and risks at each meeting of the Audit Committee of our Board of Directors. In addition, our IT executives provide periodic updates on cybersecurity risks to our management at regularly held executive committee meetings. Should any cybersecurity threat or incident be detected, our IT executives would timely report such threat or incident to the management executive committee and provide regular communications and updates to the executive committee throughout the incident and any subsequent investigation, in order that the impact, materiality, and reporting requirements of such incident are appropriately identified and assessed for further necessary or appropriate action to be taken. Any incident identified by the management executive committee as having a material impact would be promptly escalated to all members of the Board of Directors. Should there be an incident which does not rise to the level of being material, such incident would, at minimum, be included in the subsequent IT reports to both the management executive committee and the Board of Directors. We believe we are appropriately staffed to support a healthy cybersecurity posture. All IT personnel have a combination of professional experience, education, and/or certifications for their area of responsibility. For IT leadership, our Chief Information Officer earned a Masters of Business Administration and also a Master of Science degree in Information Systems & Technology Management. Our Vice President of Information Technology earned a Bachelor of Science in Computer Science and Business and a Bachelor of Science in Business and Economics. The Vice President of Information Technology is also a Certified Public Accountant, a Certified Information Systems Auditor, and a Chartered Global Management Accountant. Our Director of Cybersecurity earned an Associates Degree in Computer Network Engineering and is a Certified Information Systems Security Professional. To date, there have been no risks identified from cybersecurity threats or previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the company. However, despite all of the above aforementioned efforts, a cyberattack, if it occurred, could cause water or wastewater system operational problems, disrupt service to our customers, compromise important data or systems or result in an unintended release of customer or other confidential information. See Item 1A. Risk Factors Risks Related to Cybersecurity and Technology for additional discussion of cybersecurity risks impacting our Company. 17 Table of Contents

Company Information