Global Water Resources, Inc. 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

Global Water Resources, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 17:19:42 EST.

Filings

10-K filed on 2025-03-05

Global Water Resources, Inc. filed a 10-K at 2025-03-05 17:19:42 EST
Accession Number: 0001434728-25-000079

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Rapidly evolving threats to the cybersecurity landscape necessitate ongoing efforts to manage the risk of unauthorized access to the Company’s information systems and devices, including those of the Company and of third-party providers. The Company is subject to laws and rules issued by multiple government agencies concerning safeguarding and maintaining the confidentiality of its security, customer and business information. The Company employs various aspects of risk assessment regularly, and to -35- Table of Contents the extent possible, continuously. Further, the Company uses a defense in depth, or layered, approach to strengthen the security environment and mitigate the impact of any potential threats. Cybersecurity risks are strategically managed under the leadership of the Vice President, IT Operations and Security , who has achieved preeminent certification as a Certified Information Security Manager (CISM) and Certified Cloud Security Professional (CCSP) and has served as the most senior IT resource in many different roles. Management regularly assesses new and emerging risks by keeping apprised of current events and actual or anticipated threats within the industry and the overall security environment, which are used along with a risk-based approach to plan and implement changes or improvements to the security environment. The Company has engaged independent experts to assess the security environment for potential vulnerabilities or weaknesses and has plans for future engagements periodically to supplement the expertise and processes established within the Company. Thorough updates are provided to the board of directors quarterly by the Vice President, IT Operations and Security . The directors may ask questions or engage in further discussion related to the security environment. Employees are one of our most valuable resources, and it is essential that education, particularly related to social engineering, is persistent and relevant. The Company requires ongoing cybersecurity awareness training for all employees, including weekly simulated emails to test the knowledge and reaction of employees. The training is customized based on actual events or anticipated emerging threats, keeping the education applicable and purposeful. The Company utilizes various continuous monitoring methods for identification and notification of attempted unauthorized system access. Tools deployed throughout the Company track these attempts, allowing for trend analysis and strategic adaptation. The Company has also established an incident response policy that thoroughly and systematically documents the Company’s response and assigns responsibility to facilitate timely, organized and appropriate action during a security event or incident, including assessment of the impact and materiality of the event or incident. Incident management is led by the Security Incident Response Team, under the primary leadership of the Vice President, IT Operations and Security, in which the process is categorized by the detection, analysis, containment, eradication and recovery phases and is inclusive of post-incident activities . As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For additional information regarding cybersecurity-related risks we face, see “Risk Factors-Technology Factors-Our information technology systems may be vulnerable to unauthorized external or internal threats due to hacking, ransomware, viruses or other cybersecurity breaches,” included in Part I, Item 1A of this report. -36- Table of Contents

Company Information