Consolidated Water Co. Ltd. 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

Consolidated Water Co. Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 16:52:45 EDT.

Filings

10-K filed on 2024-03-27

Consolidated Water Co. Ltd. filed an 10-K at 2024-03-27 16:52:45 EDT
Accession Number: 0001558370-24-004095

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our information technology ( IT ) and cybersecurity programs are crucial to maintaining secure operations, which enable us to deliver on our promise to customers and maintain stakeholder trust. Our Vice President of Information Technology ( VP IT ) is responsible for establishing, implementing, and executing our cybersecurity program and strategy. Our VP IT has more than 25 years of IT, IT audit, and cybersecurity experience, and is involved in assessing the latest developments in cybersecurity, including potential threats and innovative risk management techniques. All IT staff are obliged to include cybersecurity as part of their everyday considerations and tasks. Our cybersecurity program is a critical component of our enterprise risk management process overseen by our Board of Directors, and we have integrated cybersecurity-related risks into our overall enterprise risk management framework. Additionally, cybersecurity-related risks are included in the risk universe that the risk management function evaluates to assess top risks to the enterprise on an annual basis. Our IT department proactively identifies, manages, and mitigates cyber risk in a variety of ways, including but not limited to: a. A formal enterprise-wide cybersecurity policy and related standards b. Cybersecurity training and employee phishing simulations c. Ongoing vulnerability assessment, identification, and remediation d. Cyber incident response, IT disaster recovery, and business continuity plans e. Identity and access management controls f. Automated patch management and security updates g. Network isolation of key operations environments and h. Email filtering with attachment inspection and targeted threat protection. The standards set in our cybersecurity program include the implementation of controls that are aligned with industry guidelines and applicable regulations to identify threats, deter attacks, and protect our information security assets. These standards are guided, in part, by the relevant National Institute of Standards and Technology (NIST) and American Water Works Association (AWWA) frameworks and guidance. We use various tools, security measures and technologies to aid in seeking to protect our network perimeter and internal systems from unauthorized access, intrusion, or disruption. Assessments are conducted across our systems, networks, and data infrastructure to identify potential cybersecurity threats and vulnerabilities. We have policies and procedures in place for selecting and managing our relationships with third-party service providers and other business partners, including monitoring compliance with our agreements and regulatory and legal requirements. We also actively engage with industry participants and related communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. In addition, a monitoring and detection system has been implemented to help identify cybersecurity threats and incidents. Our cybersecurity program also focuses on providing training and awareness to our employees and contractors on cybersecurity best practices. 21 Table of Contents Cybersecurity Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other IT risks. The Audit Committee oversees management s implementation of our cybersecurity risk management program. The Audit Committee oversees the management of our cybersecurity risk exposures and the steps management has taken to monitor and control such exposures. At each quarterly meeting, the Audit Committee receives an update from our VP IT and other members of management on relevant topics, including cybersecurity program maturity progress, new capabilities implemented, testing results, key cyber risk metrics (e.g., simulated phishing testing and vulnerability management) and notable incidents or events should they occur. On an annual basis, our Board of Directors meets with our VP IT and our third-party cybersecurity consultant to review our cybersecurity strategy. In accordance with our cybersecurity incident response plan, our Board of Directors is promptly informed of potentially material cybersecurity incidents, including with respect to our third-party service providers. Although we have experienced cybersecurity incidents from time to time that have not had a material adverse effect on our business, financial condition, or results of operations, there can be no assurance that a cyber-attack, security breach, or other cybersecurity incident will not have a material adverse effect on us in the future. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us and alerts and reports produced by security tools deployed in the IT environment. For a discussion regarding risks from cybersecurity threats that have or are reasonably likely to affect the company, see the risk factor titled Our business could be adversely affected by cyber threats or other interruptions to information technology, communications networks and operations. in Item 1A of this Annual Report on Form 10-K.

Company Information