SPIRE INC 10-K Cybersecurity GRC - 2024-11-20

Page last updated on November 20, 2024

SPIRE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-20 10:43:44 EST.

Filings

10-K filed on 2024-11-20

SPIRE INC filed a 10-K at 2024-11-20 10:43:44 EST
Accession Number: 0001437749-24-035823

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Managing risk related to cybersecurity is a top priority for Spire, and the Company remains focused on addressing threats that would jeopardize the confidentiality, integrity and availability of stakeholders’ information or the ability to continue providing safe and reliable service to customers. To date, Spire has not experienced any material cybersecurity breach that impacts the Company’s business strategy, results of operations, or financial condition. Risk Management Enterprise risk management (ERM) at Spire oversees significant risks to the Company’s ability to successfully execute on strategy and achieve corporate objectives. Spire’s ERM is based on a structured, comprehensive process that leverages ISO 31000:2018, adopted and customized to the Company’s needs, utilizing an ongoing process of risk identification, evaluation, treatment, integration and monitoring. ERM helps assess priorities and facilitate decision-making for resource allocation as it relates to risk management. Two risks prioritized by our Enterprise Risk Oversight Committee related to cybersecurity are cyber threats and vendor management. Additionally, the ERM process is structured to integrate with operational levels, where risk is managed, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 utilized by the Company’s Information Security function for managing cybersecurity. Governance Spire’s Board of Directors (“Board”) recognizes the significance of cybersecurity risk and has therefore retained oversight of cybersecurity rather than delegating this risk to a committee of the Board. Every regular meeting of the Board includes a cybersecurity report provided by the Company’s Chief Information Officer and the Managing Director of Information Security. These reports focus on developments within the Company’s cybersecurity program and provide an update on any cybersecurity events or concerns. The Board recently added a new director with expertise in cybersecurity to assist the Board to appropriately oversee the Company’s efforts. Spire’s cybersecurity program is led by the Chief Information Officer and the Managing Director of Information Security, who together have over 40 years of experience in information technology and cybersecurity, along with a cross-functional team of technology, legal, physical security and risk leaders. Internal Audit provides assurances of risk management activities, including certain third-party cybersecurity activities, such as penetration testing. Strategy/Approach Spire’s cybersecurity team developed a five-year strategic roadmap in 2020, which is reviewed and updated annually. A NIST-based maturity assessment is also conducted annually to assess Spire’s current maturity level and is used to establish initiatives to drive capabilities in key focus areas. Such initiatives were updated to align with federal security directives issued in 2021, with a key focus on increasing overall visibility into the environment to better correlate potential security related items; completing segregation and dependency from the enterprise and industrial control systems environments; and establishing defined policies and procedures to enhance overall governance and risk management. In addition to these strategic efforts, the Company works closely with federal agencies, including the U.S Department of Homeland Security, TSA and the local FBI chapter, and is actively involved in industry information sharing groups. The Company’s cybersecurity function is staffed with dedicated professionals who continuously monitor risks and evaluate the resiliency and effectiveness of the architecture and defenses within Spire’s systems. The Company also maintains policies, procedures and standards to manage conduct within Spire and to be prepared for new cybersecurity threats and events. The cybersecurity program involves a variety of training and education to increase awareness of cybersecurity threats through mandatory annual security awareness training for all employees, quarterly phishing campaigns, and table-top exercises. The Company also engages third parties to evaluate potential risks through external penetration testing to assess the efficacy of systems. Spire maintains business continuity plans to guide the Company’s response to a potential cybersecurity event. These plans are regularly reviewed, tested and updated to ensure they meet the evolving needs of the Company in this area. The Company also conducts annual disaster recovery exercises to test the efficacy of core systems in the event of a catastrophic incident.

Company Information