HAWAIIAN ELECTRIC INDUSTRIES INC 10-K Cybersecurity GRC - 2025-02-24

Page last updated on February 24, 2025

HAWAIIAN ELECTRIC INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 15:45:53 EST.

Filings

10-K filed on 2025-02-24

HAWAIIAN ELECTRIC INDUSTRIES INC filed a 10-K at 2025-02-24 15:45:53 EST
Accession Number: 0000354707-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity risk oversight and management is a critical component of the Company’s overall enterprise risk management and top priority for the Company and its Board of Directors. The Company’s Board of Directors has delegated management of Enterprise Risk Management, which includes cybersecurity, to the HEI and Hawaiian Electric Audit and Risk Committees (collectively, the ARCs). The ARCs exercise their oversight responsibility of cybersecurity through quarterly (or more frequently if necessary) cybersecurity risk updates and reports of incidents, if any, by management (primarily the Utilities’ Chief Information Officer and Chief Information Security Officer). In early 2023, in recognition of the increased cybersecurity threats and heightened cybersecurity risks facing the Company, the ARCs formed the Cybersecurity Working Group (CWG), which is currently comprised of two directors, one from each of the HEI and Hawaiian Electric Boards of Directors. The purpose of the CWG is to oversee and conduct periodic meetings with management to discuss cyber risk, risk treatment, and operational activities relative to cyber risk treatment and to report matters to the ARCs. The CWG also evaluates cybersecurity areas highlighted by the ARCs including areas the CWG deems higher risk or topical and reports back to the ARCs on a quarterly basis. The CWG also coordinates with the Company’s management on regular trainings and tabletop exercises for the Board of Directors. Electric utility System overview . The Utilities rely on evolving and increasingly complex operational and information systems, networks and other technologies, which are interconnected with the systems and network infrastructure owned by third parties, to support a variety of business processes and activities, including procurement and supply chain, invoicing and collection of payments, customer relationship management, human resource management, the acquisition, generation and delivery of electrical service to customers, and to process financial information and results of operations for internal and external reporting and compliance with regulatory, financial reporting, legal and tax requirements. The Utilities use their systems and infrastructure to create, collect, store, and process sensitive information, including personal information regarding customers, employees and their dependents, retirees, and other individuals. Risk management and strategy . The Utilities have a cybersecurity program in place, which is integrated into the overall risk management program and includes a risk management strategy and risk assessment policy, which are disseminated and maintained by the Chief Information Security Officer (CISO), revisited annually and govern the enterprise cybersecurity risk and maturity assessment process. The program is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and leverages a risk-based approach to optimize security investment and advance the security program’s maturity and security posture over time. The Utilities’ cybersecurity program adopts security measures designed to protect the confidentiality, integrity, and availability of information technology systems, network infrastructure and other assets. The Utilities’ security measures, such as awareness and training, monitoring, etc. are designed to prevent, detect, and minimize the effects of a cybersecurity incident. These measures are periodically evaluated and audited against the NIST CSF by internal audit and independent third-party cybersecurity specialists. The CISO actively monitors developments in the area of cybersecurity and is involved in various related government and industry groups and briefs the Company’s Board quarterly or as needed on relevant cybersecurity issues. The Utilities continue to make investments in their cybersecurity program, including personnel, technologies, cyber insurance and training of Utilities personnel. The Utilities have disaster recovery and incident response plans in place to protect their businesses from information technology service interruptions. The disaster recovery plans are established to help prevent the loss of customer data, service interruptions and disruptions to operations or damage to important facilities. In addition, the Utilities also maintain cyber liability insurance that covers certain damages caused by cyber incidents. Despite the Utilities’ security measures, all of their systems are vulnerable to disability, failures or unauthorized access caused by natural disasters, cybersecurity incidents, security breaches, user error, unintentional defects created by system changes, military or terrorist actions, power or communication failures or similar events. To date, the Utilities are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Utilities, including their business strategy, results of operations or financial condition. For further information, see “The Company is subject to 25 information technology and operational system failures, network disruptions, cyber attacks and breaches in data security that could materially and adversely affect its businesses and reputation” in Item 1A. Risk Factors. Governance . Cybersecurity governance is a critically important part of managing security and risk, and helps ensure that the Utilities’ cybersecurity program aligns with its business objectives, complies with government and industry regulations, and achieves the goals that leadership has set out for managing security and risk. The Company’s Board of Directors oversees risks from cybersecurity threats. Oversight includes quarterly or as needed reporting from the CISO on the overall cybersecurity risk reduction program maturity, emerging and current cybersecurity risks, and the cybersecurity threat landscape. The CISO has over 30 years of experience in assessing and managing cyber risks, is responsible for day-to-day management of cybersecurity risks and regularly reports to the Board of Directors through the CWG. All Other segment HEI does not have an information technology (IT) or cybersecurity risk management (CRM) department, including the resources or expertise, to manage IT/CRM-related matters and processes. HEI relies on Hawaiian Electric to provide most of its IT/CRM-related services pursuant to a Service Level Agreement (SLA), amended, as of November 30, 2023 between HEI and Hawaiian Electric. HEI also employs third party cybersecurity consultants to assist in managing CRM-related matters. The SLA outlines specific services that Hawaiian Electric provides to HEI, which includes support on all IT/CRM-related matters, IT service desk support, electronic file storage and backup, hardware and software installation, inventory and maintenance, standard networking and telecommunication support, and other various IT/CRM matters, including periodic reporting to HEI’s Board of Directors and CWG. Refer to Hawaiian Electric’s cybersecurity discussion for more information. The SLA services provided by Hawaiian Electric are mainly for applications and systems on Hawaiian Electric’s infrastructure, networks and servers. The SLA does not cover support for certain software applications that were procured outside of Hawaiian Electric’s procurement and IT policies and procedures. These include the HEI’s general ledger application itself, excluding the infrastructure that the general ledger application is installed on, and certain cloud-based software. Although these applications are not supported by Hawaiian Electric, security measures and internal control procedures related to user access and periodic security reviews have been implemented on these applications and are performed on an on-going basis in accordance with Hawaiian Electric’s IT policies and procedures. These controls are required to protect HEI’s financial and other sensitive information, as well as to prevent cybersecurity breaches on Hawaiian Electric’s infrastructure, networks and servers. In the event of a cybersecurity breach on these applications not supported by Hawaiian Electric, HEI employs third party cybersecurity consultants to assess and resolve issues resulting from a breach, depending on its severity. Hawaiian Electric may also provide guidance and support to assist HEI in assessing and resolving cybersecurity breaches. HEI has also formulated disaster recovery plans, which are updated on an annual basis, involving all of its applications, including those applications not supported by Hawaiian Electric. HEI’s cybersecurity governance is primarily integrated within Hawaiian Electric’s cybersecurity governance plan and processes. HEI’s Board of Directors and CWG are tasked with overseeing risks from cybersecurity threats through routine quarterly, or as needed, updates and periodic deep-dive sessions. These updates cover cybersecurity incidents, as well as overall cybersecurity risk reduction program maturity, emerging and current cybersecurity risks, and the cybersecurity threat landscape. The HEI CFO oversees all IT and cybersecurity matters at HEI, including having oversight responsibility for the services delivered under the SLA. Since the HEI CFO does not have expertise in cybersecurity, the HEI CFO works with the Hawaiian Electric CISO and, if necessary, with third-party cybersecurity consultants on assessing, identifying, and managing material cybersecurity matters impacting HEI. There were no cybersecurity incidents that have materially affected or are reasonably likely to materially affect HEI, including its business strategy, results of operations or financial condition.

Company Information