ENBRIDGE INC 10-K Cybersecurity GRC - 2024-02-09

Page last updated on April 11, 2024

ENBRIDGE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-09 07:05:38 EST.

Filings

10-K filed on 2024-02-09

ENBRIDGE INC filed an 10-K at 2024-02-09 07:05:38 EST
Accession Number: 0000895728-24-000007

Item 1C. Cybersecurity.

Cybersecurity risk management, strategy and governance

Risk oversight and management is a key role for the Board and its committees. The Board is responsible for identifying and understanding Enbridge’s principal risks and ensuring that appropriate systems are implemented to monitor, manage and mitigate those risks. The committees of the Board have oversight over risks within their respective mandates.

Oversight of cybersecurity is integrated into the responsibilities of the Board. The Audit, Finance and Risk Committee (the AFRC) provides oversight of cybersecurity matters, particularly as they relate to financial risk and controls, integrity of financial data and public disclosures, and security of the cyber landscape across data and digital. The Safety and Reliability Committee (SRC) has oversight responsibility for security (physical, data and cyber) including as it relates to operational risk and controls, safety, operations integrity and reliability, and asset operations.

Management provides regular reports to the Board at every meeting to review our top risks, identify trends and help manage risk. This includes quarterly reports to the AFRC and SRC on cybersecurity matters. In addition, on an annual basis management prepares and provides to the Board and its committees a corporate risk assessment (CRA), which analyzes and prioritizes enterprise-wide risks (including cybersecurity), highlighting top risks and trends. The annual CRA is an integrated enterprise-wide process. We assess and rank risks based on impact and probability, and we strive to ensure that mitigation measures are appropriately designed, prioritized and resourced. The CRA report is reviewed by the Board committees with responsibility for the risk category relevant to their mandate and is provided to the Board, which coordinates Enbridge’s overall risk management approach. Complementary to the CRA, management prepares and provides to the SRC an annual top operational risk report that highlights the highest consequence operational risks across Enbridge and includes further detail on the risks and their treatment. This information helps inform the Board about the potential impact of top operational risks and that appropriate treatments are in place to manage those risks.

Cybersecurity has been identified as a top risk as attacks against participants in our industry have continued to increase in sophistication and frequency over the years. Cybersecurity risk is described in Item 1A. Risk Factors.

Enbridge’s management is responsible for the implementation of risk management strategies and monitoring performance. The technology and information services (TIS) function is centralized under the Senior Vice President & Chief Information Officer (CIO), who has over two decades of international leadership in the business of technology. We also engage independent third parties to assess our cybersecurity program, track their recommendations and use those to further improve the program. Reporting to the CIO is the Chief Information Security Officer who is in charge of our cybersecurity program and oversees the 24x7x365 Security Operations Center (SOC).

We conduct continuous assessments of our cybersecurity standards, perform regular tests of our ability to respond and recover, and monitor for potential threats. To further mitigate threats, we collaborate with governments and regulatory agencies, and take part in external events to learn and share. Our workforce participates in regular security awareness training, including exercises to build capabilities to identify and report suspect phishing emails to our SOC. In the last year, we continued to expand the cybersecurity training and simulated testing we administer to high-risk groups within the organization. A tailored cybersecurity training course has been implemented for team members in operational technology roles, and we have increased the frequency of phishing simulation tests.

We have a cybersecurity third party risk management program, which is an evolving, cross-functional program to help assess and mitigate risks from third party vendors and other service providers. Our cybersecurity team also uses several layers of defense and protection technologies, cybersecurity experts, and automated alerting and response mechanisms to reduce risk to Enbridge.

Although cybersecurity risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have experienced an increasing number of cybersecurity threats in recent years. For more information about the cybersecurity risks we face, see the risk factor entitled “Cyber attacks and other cybersecurity incidents pose threats to our technology systems and could materially adversely affect our business, operations, reputation or financial results.” in Item 1A. Risk Factors.

Company Information