DOMINION ENERGY SOUTH CAROLINA, INC. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on July 16, 2024

DOMINION ENERGY SOUTH CAROLINA, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 07:35:10 EST.

Filings

10-K filed on 2024-02-23

DOMINION ENERGY SOUTH CAROLINA, INC. filed a 10-K at 2024-02-23 07:35:10 EST
Accession Number: 0000950170-24-019113

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber security Risk Management and Strategy In an effort to reduce the likelihood and severity of cyber intrusions, Dominion Energy has a comprehensive cybersecurity program covering its operations, including DESC, designed to protect and preserve the confidentiality, integrity and availability of data and systems. Consideration of cybersecurity risks is a key component of Dominion Energy’s overall risk management and integrated into processes such as evaluation of potential new vendors or suppliers. Dominion Energy is subject to mandatory cybersecurity regulatory requirements, interface regularly with a wide range of external organizations and participate in classified briefings to maintain an awareness of current cybersecurity threats and vulnerabilities. Dominion Energy’s corporate intelligence and security program includes both cybersecurity and threat intelligence components as part of its evaluation and mitigation of risks. The evaluation of risks includes consideration of cybersecurity and privacy risk, including potential impact on Dominion Energy’s employees, customers, supply chain and other stakeholders, intelligence briefings on notable cyber events impacting the industry and evaluation of insider threats. Dominion Energy utilizes a robust set of internal and third-party assessment tools to test its cyber risk management policies, practices and procedures as well as challenge assumptions upon which its defenses are built. These assessments provide opportunities for self-critical analysis and constructive feedback needed to build cyber resilience. Trainings are routinely provided to employees to help identify, avoid and mitigate cybersecurity threats and to ensure an understanding of Dominion Energy’s cyber risk management policies. In addition, risk assessments are conducted as a component of the evaluation of vendors and suppliers. Dominion Energy’s current security posture and regulatory compliance efforts are intended to address the evolving and changing cyber threats. During the past three years, DESC has not experienced any cybersecurity incidents resulting in a material impact to their business strategy, results of operations or financial condition. DESC has identified the risk that a hostile cyber intrusion could severely impair DESC’s operations, lead to disclosure of confidential information, damage Dominion Energy’s reputation or otherwise have an adverse effect on DESC’s business as disclosed under the Operational Risks header within Item 1A. Risk Factors. Governance Dominion Energy’s Board of Directors, including its finance and risk oversight committee, provides oversight of risks from cybersecurity threats to all Dominion Energy operations, including DESC. Dominion Energy’s Board of Directors as well as its finance and risk oversight committee receive presentations and reports throughout the year on cybersecurity and information security risk from management, including Dominion Energy’s chief security officer, director of cybersecurity and chief information officer. These presentations and reports address a broad range of topics, including Dominion Energy’s cyber risk management program, updates on recent cybersecurity threats and incidents across the industry, policies and practices, industry trends, threat environment and vulnerability assessments and specific and ongoing efforts to prevent, detect and respond to internal and external critical threats, including management’s hosting in 2023 of its second practical exercise with external federal, state and local incident response partners. In addition, Dominion Energy’s Board of Directors receives briefings from time to time from outside experts for an independent view on cybersecurity risks, including an assessment by an independent consulting firm of management’s response in a ransomware tabletop drill. Dominion Energy utilizes an organization structure known as a converged security model that brings together cybersecurity, physical security and threat intelligence within one department led by the chief security officer. The chief security officer joined Dominion Energy in this role in 2018 and has an extensive background in security having retired from the Federal Bureau of Investigation after a more than 20-year career focused on criminal, counter-terrorism, counter-intelligence and cyber investigations. The chief security officer belongs to the Federal Bureau of Investigation’s Domestic Security Alliance Council, the Department of Homeland Security’s 14 Classified Intelligence Forum and is a member of the national Government/Business Executive Forum. In addition to serving on multiple university advisory boards, the chief security officer also serves on the Commonwealth of Virginia’s Informational Technology Advisory Council. The director of cybersecurity has over 30 years of experience at Dominion Energy primarily in various roles within the information technology department, including information technology risk management, as well as cybersecurity. The director of cybersecurity has been involved in designing and evolving Dominion Energy’s cyber risk management policies, practices and procedures. This individual has deep relationships with key external partners and is recognized within the industry and the U.S. as a leading cybersecurity expert. In addition, management of cybersecurity threats is shared with the chief information officer who is responsible for Dominion Energy’s technology assets including hardware, software, networks, servers and telecommunications. The chief information officer has over 25 years of experience at Dominion Energy primarily in various roles within the information technology department, including information technology risk management. In addition, the chief information officer previously served on the board of the Virginia Cybersecurity Partnership, a collaboration between private industry and the Federal Bureau of Investigation. The chief security officer and chief information officer are supported by the senior vice president of administrative services as well as Dominion Energy’s operations, legal, audit, corporate risk, supply chain, human resources and accounting departments in executing its cybersecurity program. In addition, the chief security officer and chief information officer provide periodic updates concerning recent developments affecting cybersecurity and privacy risk to Dominion Energy’s executive cyber risk council, which includes executive officers responsible for administrative services, corporate affairs, supply chain, corporate secretary and corporate risk along with legal counsel. Dominion Energy maintains a robust, tested and regularly revised Cyber Security Incident Response Plan and a Vendor Compromise Response Plan. These plans detail roles, responsibilities, and actions to be taken in response to a detected event whether internal or associated with a third-party service provider. The plans provide clear direction for escalation of information to leadership, including Dominion Energy’s Board of Directors as appropriate, and drive collaboration amongst relevant members of management representing cybersecurity, information technology, operations, supply chain, legal and accounting departments. As necessary, the COO, CFO and chief legal officer will advise the CEO on any incidents which could potentially have a material effect on Dominion Energy’s business operations, results of operations or financial condition.


Company Information

NameDOMINION ENERGY SOUTH CAROLINA, INC.
CIK0000091882
SIC DescriptionElectric & Other Services Combined
Ticker
Website
CategoryNon-accelerated filer
Fiscal Year EndDecember 30