|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard its information systems and protect the confidentiality, integrity, and availability of its data.
Managing Material Risks & Integrated Overall Risk Management
The Company embraces risk management across the company, to include cybersecurity risk. This comprehensive approach ensures that cybersecurity considerations are an integral part of its decision-making processes at every level. The Company’s risk management team works closely with its IT department to continuously evaluate and address cybersecurity risks in alignment with its business objectives and operational needs.
Engage Third Parties on Risk Management
To address the evolving nature and complexity of cybersecurity threats, the Company engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing its risk management systems. These partnerships enable the Company to leverage specialized knowledge and insights with respect to its cybersecurity strategies and processes. The collaboration with these third parties includes regular audits, threat assessments, penetration testing, and consultation on security enhancements.
Oversee Third-party Risk
The Company recognizes that cybersecurity threats and risks are amplified with the addition of third-party digital service providers. In response, the Company implements stringent processes to oversee and manage these risks. It conducts thorough security assessments of all third-party providers before engagement and maintains ongoing monitoring to ensure compliance with its cybersecurity standards. This process is also intended to provide for the security and integrity of the Company’s data that may be stored on third-party systems. The monitoring includes quarterly assessments made by the contracted Chief Information Officer, or CIO, and on an ongoing basis by its dedicated cybersecurity staff. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
Incident Response Plan
The Company maintains and tests its Incident Response Plan, or IRP, to appropriately document plans for identifying, prioritizing, containing, and communicating information related to an incident. The Company completes annual tabletop testing of its IRP, including a testing results review to identify opportunities for improvement.
Risk Evaluation
Water utilities face several cybersecurity risks due to their critical role in monitoring and controlling water treatment and distribution processes and servicing customers. The key risks the Company has evaluated that could adversely impact system confidentiality, integrity, and/or availability include:
Identified Material Risks
To date, the Company has not encountered cybersecurity challenges, risks, or breaches that have materially impaired its business strategy, operations, or its financial standing.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company embraces risk management across the company, to include cybersecurity risk. This comprehensive approach ensures that cybersecurity considerations are an integral part of its decision-making processes at every level. The Company’s risk management team works closely with its IT department to continuously evaluate and address cybersecurity risks in alignment with its business objectives and operational needs.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
To date, the Company has not encountered cybersecurity challenges, risks, or breaches that have materially impaired its business strategy, operations, or its financial standing.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors Oversight of Cybersecurity Material Risks – Governance
The Board of Directors, or the Board, is keenly aware of the critical nature of cybersecurity risks, particularly in its business as a public utility providing a life sustaining product. The Board, in partnership with the Executive team, has created a robust cybersecurity program, with meaningful oversight measures and tools for tracking and managing cyber risks and threats. The Company understands the importance of its product and services to the communities that it serves and is dedicated to maintaining high stakeholder confidence in its operations.
Board Oversight
The Audit Committee is the lead Board committee with oversight of the cybersecurity program and bears the primary responsibility for this aspect of the business. The Audit Committee is comprised of Board members with diverse professional backgrounds, such as accounting/finance, utility security, risk management, and business performance integration. The breadth of experience in this Committee enables it to be the most appropriate lead in oversight of cybersecurity risks and capability.
Management Role
The Chief Administrative Officer and General Counsel has primary oversight of the IT Department and the cybersecurity program, with a direct reporting relationship to the President and Chief Executive Officer. The Chief Administrative Officer and General Counsel also reports to the Audit Committee at least two times per calendar year and presents a report to the Board at least once per calendar year. These briefings include both educational and program status information, including:
In addition to scheduled presentations described above, the IT Department contracted CIO, the Chief Administrative Officer and General Counsel, and the President and Chief Executive Officer maintain constant dialogue regarding emerging or potential cybersecurity risks and threats. The Chief Administrative Officer and General Counsel is in regular contact with the Audit Committee Chair related to these risks so that the oversight by the Board can be both proactive and responsive. The Audit Committee has the authority to actively participate in strategic decisions related to cybersecurity and offers guidance and approval for major initiatives. As a result, cybersecurity considerations can be integrated into the foundation of broader corporate objectives. The Audit Committee and the Board conduct an annual review of the Company’s cybersecurity risk position and the effectiveness of its risk management strategies and measures. From this review at the Board level, the Company is able to identify areas where there exist improvement opportunities and can set goals for the following year.
Risk Management Personnel
Primary responsibility for assessing, monitoring, and managing cybersecurity risks rests with the CIO, who has oversight over the IT Department, including one dedicated cybersecurity staff person and select specialized contractors. This group of contractors includes a Chief Information Security Officer, IT Director, Cybersecurity Analysts, Network Engineers, and Network Administrators. The CIO, Chief Information Security Officer, and IT Director all have a minimum of ten years of experience in the cybersecurity and technology leadership field.
Monitor Cybersecurity Risks
The cybersecurity team actively monitors for cybersecurity risks by employing the use of endpoint detection and response solutions with immediate alert notifications, vulnerability scanning solutions that proactively identify risks, and by monitoring the logs of network devices.
Reporting to the Board
The Chief Administrative Officer and General Counsel has primary responsibility to report to the President and Chief Executive Officer and to the Board and presents with the CIO where appropriate for the content of the presentation and/or to facilitate a substantive discussion. The CIO, through the Chief Administrative Officer and General Counsel, ensures that the highest levels of the Company remain informed about the cybersecurity posture, potential risks, events, and response if they occur. Material cybersecurity matters, and significant strategic risk management processes and decisions are elevated to the Board by the Chief Administrative Officer and General Counsel, ensuring that the Board has effective and substantive oversight and may provide input and guidance on critical cybersecurity measures and issues.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Audit Committee is the lead Board committee with oversight of the cybersecurity program and bears the primary responsibility for this aspect of the business. The Audit Committee is comprised of Board members with diverse professional backgrounds, such as accounting/finance, utility security, risk management, and business performance integration. The breadth of experience in this Committee enables it to be the most appropriate lead in oversight of cybersecurity risks and capability.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Chief Administrative Officer and General Counsel has primary oversight of the IT Department and the cybersecurity program, with a direct reporting relationship to the President and Chief Executive Officer. The Chief Administrative Officer and General Counsel also reports to the Audit Committee at least two times per calendar year and presents a report to the Board at least once per calendar year. These briefings include both educational and program status information, including:
|Cybersecurity Risk Role of Management [Text Block]
|
The Chief Administrative Officer and General Counsel has primary oversight of the IT Department and the cybersecurity program, with a direct reporting relationship to the President and Chief Executive Officer. The Chief Administrative Officer and General Counsel also reports to the Audit Committee at least two times per calendar year and presents a report to the Board at least once per calendar year. These briefings include both educational and program status information, including:
In addition to scheduled presentations described above, the IT Department contracted CIO, the Chief Administrative Officer and General Counsel, and the President and Chief Executive Officer maintain constant dialogue regarding emerging or potential cybersecurity risks and threats. The Chief Administrative Officer and General Counsel is in regular contact with the Audit Committee Chair related to these risks so that the oversight by the Board can be both proactive and responsive. The Audit Committee has the authority to actively participate in strategic decisions related to cybersecurity and offers guidance and approval for major initiatives. As a result, cybersecurity considerations can be integrated into the foundation of broader corporate objectives. The Audit Committee and the Board conduct an annual review of the Company’s cybersecurity risk position and the effectiveness of its risk management strategies and measures. From this review at the Board level, the Company is able to identify areas where there exist improvement opportunities and can set goals for the following year.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Primary responsibility for assessing, monitoring, and managing cybersecurity risks rests with the CIO, who has oversight over the IT Department, including one dedicated cybersecurity staff person and select specialized contractors. This group of contractors includes a Chief Information Security Officer, IT Director, Cybersecurity Analysts, Network Engineers, and Network Administrators.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CIO, Chief Information Security Officer, and IT Director all have a minimum of ten years of experience in the cybersecurity and technology leadership field.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The cybersecurity team actively monitors for cybersecurity risks by employing the use of endpoint detection and response solutions with immediate alert notifications, vulnerability scanning solutions that proactively identify risks, and by monitoring the logs of network devices.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef