XML 51 R32.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management and Strategy

Our information technology (“IT”) and cybersecurity programs are crucial to maintaining secure operations, which enable us to deliver on our promise to customers and maintain stakeholder trust. Our Vice President of Information Technology (“VP IT”) is responsible for establishing, implementing, and executing our cybersecurity program and strategy. Our VP IT has more than 25 years of IT, IT audit, and cybersecurity experience, and is involved in assessing the latest developments in cybersecurity, including potential threats and innovative risk management techniques. All IT staff are obliged to include cybersecurity as part of their everyday considerations and tasks.

Our cybersecurity program is a critical component of our enterprise risk management process overseen by our Board of Directors, and we have integrated cybersecurity-related risks into our overall enterprise risk management framework. Additionally, cybersecurity-related risks are included in the risk universe that the risk management function evaluates to assess top risks to the enterprise on an annual basis.

Our IT department proactively identifies, manages, and mitigates cyber risk in a variety of ways, including but not limited to:

a.

A formal enterprise-wide cybersecurity policy and related standards;

b.

Cybersecurity training and employee phishing simulations;

c.

Ongoing vulnerability assessment, identification, and remediation;

d.

Cyber incident response, IT disaster recovery, and business continuity plans;

e.

Identity and access management controls;

f.

Automated patch management and security updates;

g.

Network isolation of key operations environments; and

h.

Email filtering with attachment inspection and targeted threat protection.

The standards set in our cybersecurity program include the implementation of controls that are aligned with industry guidelines and applicable regulations to identify threats, deter attacks, and protect our information security assets. These standards are guided, in part, by the relevant National Institute of Standards and Technology (NIST) and American Water Works Association (AWWA) frameworks and guidance. We use various tools, security measures and technologies to aid in seeking to protect our network perimeter and internal systems from unauthorized access, intrusion, or disruption. Assessments are conducted across our systems, networks, and data infrastructure to identify potential cybersecurity threats and vulnerabilities.

We have policies and procedures in place for selecting and managing our relationships with third-party service providers and other business partners, including monitoring compliance with our agreements and regulatory and legal requirements. We also actively engage with industry participants and related communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. In addition, a monitoring and detection system has been implemented to help identify cybersecurity threats and incidents. Our cybersecurity program also focuses on providing training and awareness to our employees and contractors on cybersecurity best practices.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

Our cybersecurity program is a critical component of our enterprise risk management process overseen by our Board of Directors, and we have integrated cybersecurity-related risks into our overall enterprise risk management framework. Additionally, cybersecurity-related risks are included in the risk universe that the risk management function evaluates to assess top risks to the enterprise on an annual basis.

Our IT department proactively identifies, manages, and mitigates cyber risk in a variety of ways, including but not limited to:

a.

A formal enterprise-wide cybersecurity policy and related standards;

b.

Cybersecurity training and employee phishing simulations;

c.

Ongoing vulnerability assessment, identification, and remediation;

d.

Cyber incident response, IT disaster recovery, and business continuity plans;

e.

Identity and access management controls;

f.

Automated patch management and security updates;

g.

Network isolation of key operations environments; and

h.

Email filtering with attachment inspection and targeted threat protection.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other IT risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program.

The Audit Committee oversees the management of our cybersecurity risk exposures and the steps management has taken to monitor and control such exposures. At each quarterly meeting, the Audit Committee receives an update from our VP IT and other members of management on relevant topics, including cybersecurity program maturity progress, new capabilities implemented, testing results, key cyber risk metrics (e.g., simulated phishing testing and vulnerability management) and notable incidents or events should they occur. On an annual basis, our Board of Directors meets with our VP IT and our third-party cybersecurity consultant to review our cybersecurity strategy. In accordance with our cybersecurity incident response plan, our Board of Directors is promptly informed of potentially material cybersecurity incidents, including with respect to our third-party service providers.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Audit Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee oversees the management of our cybersecurity risk exposures and the steps management has taken to monitor and control such exposures. At each quarterly meeting, the Audit Committee receives an update from our VP IT and other members of management on relevant topics, including cybersecurity program maturity progress, new capabilities implemented, testing results, key cyber risk metrics (e.g., simulated phishing testing and vulnerability management) and notable incidents or events should they occur. On an annual basis, our Board of Directors meets with our VP IT and our third-party cybersecurity consultant to review our cybersecurity strategy. In accordance with our cybersecurity incident response plan, our Board of Directors is promptly informed of potentially material cybersecurity incidents, including with respect to our third-party service providers.
Cybersecurity Risk Role of Management [Text Block]

Our information technology (“IT”) and cybersecurity programs are crucial to maintaining secure operations, which enable us to deliver on our promise to customers and maintain stakeholder trust. Our Vice President of Information Technology (“VP IT”) is responsible for establishing, implementing, and executing our cybersecurity program and strategy. Our VP IT has more than 25 years of IT, IT audit, and cybersecurity experience, and is involved in assessing the latest developments in cybersecurity, including potential threats and innovative risk management techniques. All IT staff are obliged to include cybersecurity as part of their everyday considerations and tasks.

Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our Vice President of Information Technology (“VP IT”) is responsible for establishing, implementing, and executing our cybersecurity program and strategy.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our VP IT has more than 25 years of IT, IT audit, and cybersecurity experience, and is involved in assessing the latest developments in cybersecurity, including potential threats and innovative risk management techniques.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true