ATMOS ENERGY CORP 10-K Cybersecurity GRC - 2024-11-18

Page last updated on November 18, 2024

ATMOS ENERGY CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-18 16:20:38 EST.

Filings

10-K filed on 2024-11-18

ATMOS ENERGY CORP filed a 10-K at 2024-11-18 16:20:38 EST
Accession Number: 0000731802-24-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity. We continuously assess our risk of cyber threats to adapt quickly to the ever-changing challenges and risks surrounding cybersecurity. Atmos Energy has implemented policies, procedures, and controls to identify, protect, detect, and respond to cyberattacks or acts of online terrorism. Atmos Energy is also subject to the U.S. Department of Homeland Security Transportation Security Administration (TSA) security directive for our natural gas pipeline monitoring and control systems. The potential impact of cybersecurity risks on our business operations, results of operations, or financial condition is discussed in the “Technology and Cybersecurity Risks” section of Item 1A “Risk Factors.” We have not had any material cybersecurity breaches or incidents and have not incurred any material expenses, penalties, or settlement costs related to any cybersecurity breaches or incidents. However, measures that we take to identify, protect, detect, and respond from cybersecurity breaches or incidents may be insufficient or become ineffective, and there are no assurances that cybersecurity breaches or incidents will not impact our business operations and strategy, results of operations, and financial condition in the future. The following describes our risk management and strategy and corporate governance as it pertains to cybersecurity. Risk Management and Strategy Atmos Energy’s cybersecurity program leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) in its design of controls intended to reduce the risk and potential impact of cybersecurity incidents. This comprehensive approach encompasses continuous monitoring, risk assessments, a cybersecurity incident response plan, and regular evaluations to align our practices with industry standards. Additionally, we actively engage in cybersecurity risk management practices and continually improve procedures and practices to support the continued safe and reliable delivery of natural gas to our customers. The identification and management of cybersecurity risk is a component of our Integrated Risk Management process, which applies adaptive process improvement to help us respond to the changing cybersecurity landscape. Additionally, we use third parties to enhance our collective capability to monitor, detect, and respond to cybersecurity incidents. Further, we maintain collaborative relationships with government officials, law enforcement, and industry peers to keep informed of trends and potential cyber tactics. Finally, we maintain cybersecurity insurance coverage that we believe is appropriate for the size and complexity of our business. We have an information technology cybersecurity incident response plan to manage cybersecurity incidents. The plan provides guidelines for actions in response to cyber security incidents that may occur at or otherwise affect Atmos Energy. These guidelines include notification to a cross-functional management team to assess incident materiality and an escalation process to members of our senior management team and our Board of Directors. This plan, which is periodically reviewed and tested, is supported by third parties to provide guidance and support to our cybersecurity management team. We also address cybersecurity risks associated with third-party service providers, including those in our supply chain or who have access to our data or our information technology systems. Atmos Energy currently conducts cyber assessments on potential vendors that will have access to information technology systems, data or facilities that house such systems or data. Following approval, those vendors are contractually required to manage their cybersecurity risks and provide notification in the event of a cybersecurity incident. Governance Our Vice President and Chief Information Officer (CIO), who has over two decades of experience in information technology, is responsible for overseeing our cybersecurity program. The CIO oversees an IT Information security team responsible for our overall cybersecurity program. This team is comprised of several IT professionals with varying degrees of cybersecurity experience and is led by our Director - Cybersecurity who has over 30 years of experience in information technology and cybersecurity. The Director - Cybersecurity reports to the CIO, who reports to the Senior Vice President and Chief Financial Officer. The CIO is a member of the Company’s Risk Management and Compliance Committee (RMCC). The RMCC is comprised of members from the senior leadership team and is responsible for overseeing enterprise-wide risk management across all categories, including cybersecurity. The RMCC is overseen by the Company’s Management Committee, which is comprised of the President and Chief Executive Officer, Senior Vice President and Chief Financial Officer, Senior Vice President, Utility Operations, Senior Vice President, General Counsel & Corporate Secretary and Senior Vice President, Human Resources. The CIO provides regular cybersecurity updates to the Audit Committee of the Board of Directors and the Management Committee. These updates address prevention, detection, mitigation, and remediation of cybersecurity incidents, as well as risks, threats, and the threat landscape. The Audit Committee of the Board of Directors oversees the company’s cybersecurity risks. Additionally, our Board of Directors periodically engages with third-party advisors to provide further education about cybersecurity risks.

Company Information