Southwest Gas Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 26, 2025

Southwest Gas Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 08:12:44 EST.

Filings

10-K filed on 2025-02-26

Southwest Gas Holdings, Inc. filed a 10-K at 2025-02-26 08:12:44 EST
Accession Number: 0001692115-25-000082

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY 27 Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks; intellectual property and proprietary business information theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; physical damage to utility and transmission infrastructure; and reputational harm. We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage these risks. As part of our enterprise risk management program, we consider cybersecurity risks alongside other risks in our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying material cybersecurity threats, assessing their severity, and deploying potential mitigations. Southwest Gas’ cybersecurity program focuses on people, processes, and technology, and takes a defense-in-depth approach by seeking to align with industry best practices. We invest in annual cybersecurity awareness training and testing for employees, by means of which we teach employees about remaining vigilant in daily work activities and practicing good security awareness. Specialized cybersecurity training is provided to those in specific job functions particularly susceptible to cyber incidents and phishing simulations are conducted monthly. Annually, a cybersecurity fair is held, and every employee is encouraged to participate. During this fair, outside experts present current and relevant information in an engaging and educational atmosphere. Tabletop exercises are periodically conducted to evaluate controls, processes, and procedures within Southwest Gas and with our partners in the handling of a cybersecurity incident. Southwest Gas maintains partnerships with law enforcement and other participants within the natural gas and electric utility industries. We also participate in the Information Sharing and Analysis Center to share threat intelligence and collaborate on cybersecurity issues affecting our industry. As a natural gas LDC, Southwest Gas’ objective is to comply with the TSA security directives for our gas monitoring and control systems. Pursuant to these directives, Southwest Gas engages outside consultants to regularly review our technical architecture and alignment with the TSA security directives. In addition to complying with these regulations, Southwest Gas takes a quantitative approach to cybersecurity risk to identify areas for future cybersecurity investment and periodically engages experts to attempt to infiltrate our information systems to further strengthen our security posture. We invest in a range of cybersecurity technologies within the perimeter, network, and endpoints, creating a defense-in-depth architecture designed for prevention and response to cybersecurity events and to help minimize risk exposure. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents, Southwest Gas undertakes the following activities: - deploys a defense-in-depth approach with security measures in place at multiple layers; - closely monitors information systems using a suite of technologies and a specialized cybersecurity team; - reviews emerging data protection laws and implements changes to our processes designed for compliance; - trains each new employee who handles individual customer data on handling and use requirements for such data; - avoids, where possible, storing sensitive customer information like social security numbers or banking information for individual customers on our information systems; - conducts regular phishing email simulations for employees and contractors with access to corporate email systems to enhance awareness and responsiveness to possible threats; - through policy, practice, and contracts (as applicable), encourages employees, as well as third parties who provide services on our behalf, to treat customer information and data with care; - runs tabletop exercises to simulate response activities to a cybersecurity incident and use the findings to improve our processes and technologies; - leverages the NIST Computer Security Incident Handling Process as a guideline to help identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; and - conducts vulnerability and penetration assessments, with associated remediation activities. Southwest Gas’ incident response plan is designed to coordinate the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents. These activities include processes to triage, assess severity, communicate, contain, investigate, and remediate the incident, as well as to comply with applicable legal obligations and mitigate reputational damage. Southwest Gas’ processes also address cybersecurity threat risks associated with our use of third-party service providers , including those in our supply chain or those who have access to customer and employee data or our systems. Third-party risks are included within our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data, or facilities that house such systems or data, and monitor cybersecurity threat risks identified through our diligence review. Our due diligence process involves the use of questionnaires that are completed by third-party service 28 providers and reviewed by business representatives and cybersecurity specialists to identify risks associated with third-party service providers. We use the responses provided to assist in finding ways to mitigate risks presented by a particular third-party service provider, consistent with the services provided. Additionally, contracts with third parties that could introduce significant cybersecurity risk to Southwest Gas include terms to assist in the mitigation of cybersecurity risks, including but not limited to, requiring counterparties to report data privacy or cybersecurity incidents to us and to agree to be subject to periodic cybersecurity audits as appropriate. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us , including our business strategy, results of operations, or financial condition, under the heading “Operational Risks” as part of our risk factor disclosures in Item 1A of this Annual Report on Form 10-K, which are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. However, because Southwest Gas’ operations involve critical infrastructure, as defined under federal law and by the TSA, we have been and will continue to be the target of cybersecurity attacks from time to time. Governance Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. The responsibility for oversight of risks from cybersecurity threats rests with our entire Board, but the Audit Committee oversees certain cybersecurity related items as described below. At least twice per year the entire Board receives an overview from management on our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, and cybersecurity threat risks or incidents and developments, as well as the steps management took to respond to such risks. Additionally, our Chief Information Officer attends Audit Committee meetings to present cybersecurity information for consideration in financial reporting, as necessary, and attends private Executive Sessions with the Audit Committee. Our Director of Internal Audit reports to the Audit Committee regarding attack and penetration exercise results and remediation. Members of the Board are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news or events and discuss any significant updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of matters such as enterprise risk management, operational budgeting, mergers and acquisitions, and other relevant matters. In 2023, the Board participated in a tabletop exercise associated with cyber threats and in 2024 the Board received a presentation from the former Chief of Staff of the Cybersecurity and Infrastructure Security Agency. At the management level for Southwest Gas, our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by Southwest Gas’ President and the Vice President/Information Services/Chief Information Officer, along with the Director of Information Security . A Cybersecurity Executive Committee, consisting of officer-level management appointees representing key areas of our business, exists to maintain situational awareness of cybersecurity risks, support methods of addressing cybersecurity risks, and support the Chief Information Officer’s efforts to help Southwest Gas follow natural gas sector-specific regulations and reporting. The Cybersecurity Executive Committee meets regularly with legal advisors and cybersecurity professionals. In our Information Services department, the cybersecurity management team members hold degrees in information technology or cybersecurity and industry-recognized certifications in cybersecurity, and each has many years of relevant work experience in various roles involving managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs. Cybersecurity team members are expected to keep their knowledge, skills, and training current by participating in industry events and continuing education programs as applicable. These members of management and the Cybersecurity Executive Committee are informed about, and monitor the prevention, mitigation, detection, and remediation of, cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. Our cybersecurity playbooks and incident response plan outline our procedures, communication protocols, and information escalation processes applicable throughout the lifecycle of a cybersecurity incident. The playbooks and plans cover information flow from discovery of a possible issue through the reporting of it to Information Services management, the Cybersecurity Executive Committee, and Board as necessary. As discussed above, members of management (our President, Chief Information Officer, and Director of Information Security) report to the entire Board about cybersecurity threat risks, among other cybersecurity related matters, at least twice per year, with the Audit Committee receiving more frequent updates as needed to assist in maintaining or enhancing cybersecurity posture in financial reporting, and monitoring attack and penetration testing results.

Company Information