American Water Works Company, Inc. 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

American Water Works Company, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 16:27:57 EST.

Company Summary

American Water provides water and wastewater utility services, ensuring the supply and treatment of water for residential, commercial, and industrial customers.

Filings

10-K filed on 2025-02-19

American Water Works Company, Inc. filed a 10-K at 2025-02-19 16:27:57 EST
Accession Number: 0001410636-25-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company’s Cybersecurity Program The Company’s cybersecurity program is an integral part of the long-term sustainability and effectiveness of the Company’s operational and technology environment. To protect the integrity of its data and operational and technology systems, the Company employs a “defense-in-depth” strategy that uses multiple security measures. This strategy aligns with the National Institute of Standards and Technology Cyber Security Framework and provides preventative, detective, and responsive measures to identify and manage risks. The Company periodically reviews and modifies the implementation of its cybersecurity strategy based on threat trends, program maturity, the results of assessments, and the advice of third-party security consultants. The Company’s cybersecurity program includes the following areas of focus: - Technology that includes, among other things, encryption, threat management, monitoring, investigation support and backups for physical devices, such as mobile phones and computers, connected to the Company network; - Identity and access management controls that include, among other things, multi-factor authentication and safeguards associated with granting elevated privileges; - Proactive cybersecurity processes, including vulnerability scanning, penetration testing and periodic program assessments by outside security consultants and assessors; - Reactive cybersecurity processes that are regularly evaluated using various incident response and disaster recovery exercises; - Employee cyber risk awareness and training, including regular simulation exercises with employees, that covers cybersecurity threats and actions to prevent and report attacks; and - Third-party risk management and security standards, including due diligence, continuous monitoring, cyber risk scoring and contractual obligations, and periodic review of third-party control environments to align the Company’s risk exposure with its business requirements and risk tolerances. Third-Party Relationships The Company utilizes partners and third-party service providers to help deliver safe and reliable water and wastewater services across its regulated operations and has implemented a third-party risk management program to understand the cybersecurity risks to the Company that may arise out of these third-party relationships. The Company categorizes third-party relationships by risk level, which is determined primarily by the service provided by the third-party and its level of access to the Company’s data. Each category has specific cybersecurity controls, data privacy and documentation requirements, which are outlined in the agreement between the Company and the third-party service provider. In addition, the Company evaluates the online security footprint for its service providers at the time of agreement, and on a regular basis, thereafter, depending on the provider’s risk level. The Company reviews its agreements with third-party service providers periodically related to terms and conditions governing cybersecurity controls and data privacy. The Company also monitors, as appropriate, risks relating to potential compromises of sensitive Company information through third parties and reevaluates these risks periodically. In addition, the Company obtains annual attestation reports related to data security and privacy from certain third-party providers to further support compliance with industry-standard cybersecurity protocols. Cybersecurity Risks Cybersecurity threats are constantly evolving and have and will continue to become more frequent and sophisticated. Although the Company has implemented measures that it believes are reasonable to safeguard its operational and information technology systems and has sought to establish a culture of continuous monitoring and improvement, the evolving and increasingly complex nature of cybersecurity attacks and vulnerabilities means that these protections may not always be effective. By way of example, as previously disclosed, on October 3, 2024, the Company identified unauthorized activity within its information technology computer networks and systems, which was determined to be the result of a cybersecurity incident. To date, the Company has determined that it has not experienced a cybersecurity incident that has resulted in a material impact to the Company’s financial condition, results of operations, cash flows, or business strategy. For additional information concerning the October 3, 2024, cybersecurity incident, and cybersecurity-related risks, see Item 1A-Risk Factors-Risks Related to Our Industry and Business Operations-We are, and may in the future be, subject to physical and cyber attacks, and -We may sustain losses that exceed or are excluded from our insurance coverage or for which we are self-insured; and Item 7-Management’s Discussion and Analysis of Financial Condition and Results of Operations-Other Matters-Cybersecurity Incident. Cybersecurity Risk Management and Strategy The Company has established an enterprise-wide cybersecurity program designed to prevent disruption to critical information systems, minimize the loss or manipulation of sensitive information, and to timely identify, escalate and promptly remediate and recover from cybersecurity incidents and facilitate compliance with regulatory and disclosure requirements. To oversee cybersecurity risk management, the Company employs a dedicated unit, led by the Company’s Chief Information Security Officer (“CISO”), to implement cybersecurity controls, assess and report on cybersecurity risks and consult with the Company’s internal Enterprise Risk Management Committee, a decision-making body which supports and oversees the identification, assessment, prioritization, and mitigation strategies for enterprise-level risks, including cybersecurity risks. The CISO has over 25 years of work experience in the information technology, physical security and cybersecurity fields, including previously serving as the Company’s Chief Security Officer, and holds the Certified Protection Professional, Professional Certified Investigator and Physical Security Professional certifications from ASIS International. The CISO serves on the Water Sector Coordinating Council (“WSCC”), an advisory body comprised of representatives from various U.S. water and wastewater organizations, which serves as a policy, strategy and coordination mechanism for the water sector on critical infrastructure security and resilience issues. In that role, the CISO partners with representatives from the Department of Homeland Security and the EPA on U.S. water and wastewater sector initiatives. The CISO is also the former Chair of the WSCC, the National Association of Water Companies’ Safety and Security Committee, and the ASIS Utility Security Council. The CISO reports directly to the Company’s Chief Technology and Information Officer, who is responsible for the Company’s information technology program. The Company’s security team provides oversight and policy guidance on physical, cyber and information security, as well as business continuity, throughout the Company’s operations. It is responsible for designing, implementing, monitoring and supporting effective physical and technical security controls for the Company’s physical assets, business systems and operational technologies. The Company’s security team also conducts annual and ongoing cybersecurity awareness training and education for the Company’s employees. In 2024, 100% of the Company’s active workforce completed mandatory cybersecurity training. By equipping employees with knowledge and skills, the Company strives to cultivate and maintain a cybersecurity-conscious culture within its workforce. The Company’s cybersecurity risk assessment process involves considering risks associated with the nature of its business, receiving and processing inputs from internal and external stakeholders, monitoring industry trends and risks and engaging external advisors, to assist in aligning the Company’s cybersecurity processes with industry best practices. Risk assessments are conducted quarterly and annually to evaluate the effectiveness of the Company’s existing security controls and serve as the basis for additional safeguards, security controls and measures. Operational and technical security controls are deployed and integrated as safeguards against unauthorized access to the Company’s information systems. These controls are aimed at (i) assuring the continuity of business processes that are dependent upon automation, (ii) maintaining the integrity of the Company’s data, (iii) supporting regulatory and legislative compliance requirements, and (iv) maintaining safe and reliable service to the Company’s customers. The Company has also implemented a vulnerability assessment program that is reviewed at least annually and more frequently, depending on changes to the risk environment. This process serves as a guiding enterprise-wide framework to outline the scope and procedures of the Company’s cybersecurity risk management processes. By prioritizing vulnerability management and continuously evaluating the Company’s internal and external environments for vulnerabilities, the Company aims to implement preventative measures to protect its information assets and technology-based infrastructure from cybersecurity threats. This approach helps to reduce the Company’s exposure to material cybersecurity threat risks. Incident Response The Company utilizes an established internal framework designed to assess promptly the severity and materiality of cybersecurity incidents based on predefined quantitative and qualitative criteria and to determine the appropriate level of response. Incidents are escalated to the relevant management teams based on their severity and materiality for prompt response and mitigation. The Company maintains a standing crisis response team comprised of individuals from various functional units, including without limitation Information Technology, Legal, Finance, Enterprise Risk Management, Operations and Communications, to respond to cybersecurity and physical security incidents, environmental incidents and health and safety emergencies, among others. When a cybersecurity incident occurs, the Company establishes a cross-functional incident response team to respond to the specific cybersecurity incident. The incident response team consists of a subset of members from the standing crisis response team, including personnel with the most relevant experience related to the specific incident. This collaborative approach is intended to enable the Company to leverage expertise throughout the business to address cybersecurity events and to evaluate the potential financial, legal, operational and reputational implications of an incident, or series of related incidents. In considering the materiality of an event, related attacks, whether in terms of quantity or impact, are reviewed individually and in the aggregate to determine whether they may have a significant impact on the Company’s financial condition, results of operations or business strategy, either quantitatively or qualitatively. Cybersecurity Governance The Board of Directors is responsible for oversight of the Company’s cybersecurity program and the Company’s responses to cybersecurity risk. The Board of Directors has delegated to its SETO Committee responsibility for the oversight and review of technology policy, strategy and governance, and cybersecurity issues that could impact the Company’s operational performance or risk profile. The SETO Committee meets at least quarterly and receives reports related to cybersecurity threats, trends and risks, and related mitigation activities. In addition, the SETO Committee and the Board of Directors receive reports of periodic external assessments and internal testing of the effectiveness of the Company’s cybersecurity program. The SETO Committee coordinates with the Audit, Finance and Risk Committee, as appropriate, on matters related to cybersecurity risk. The Audit, Finance and Risk Committee is responsible for, among other things, overseeing the adequacy and effectiveness of the Company’s system of internal controls and the Company’s risk assessment and management strategy, including with respect to cybersecurity risks.

Company Information