Duke Energy CORP 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Duke Energy CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 13:27:16 EST.

Filings

10-K filed on 2024-02-23

Duke Energy CORP filed an 10-K at 2024-02-23 13:27:16 EST
Accession Number: 0001326160-24-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management Ensuring the security of Duke Energy s assets, information and teammates is vital for delivering the essential service on which Duke Energy s customers and communities depend. In light of the ever-evolving threat landscape and increasing sophistication of threat actor tactics, techniques and procedures, steadfast and sophisticated cybersecurity and security operations are integral parts of Duke Energy s enterprise risk management framework. Duke Energy’s enterprise risk management framework is used across the enterprise by subject matter experts to identify, assess, monitor and communicate enterprise level risks to the Chief Risk Officer. Duke Energy s technology and cybersecurity risk management program is integrated into the Company s overall Enterprise Risk Management program and is composed of three primary lines of defense: (1) the Cybersecurity Incident Response Team (CIRT); (2) the Duke Energy Enterprise Security Team (EST); and (3) internal and external cybersecurity audits. Duke Energy s first line of defense is the CIRT under the Office of the Chief Information Officer. The CIRT reports up to leaders in the Chief Security and Information Security Office, including the Chief Security and Information Security Officer (CSISO), Managing Director of Cybersecurity and Network Defense, and Director of Cybersecurity Operations, whose cybersecurity backgrounds include many years serving in operational cyber roles, leading incident response, participating in industry engagement, collaborating with federal and local cyber programs, and time analyzing security breaches across the industry. The CIRT oversees an enterprisewide process that identifies, assesses, responds to and resolves cyber incidents, both internal and those associated with the Company s use of third-party service providers, by defining roles, responsibilities and the process for problem source identification, mitigation, and eradication triggered by a suspected cyber incident. Duke Energy manages cybersecurity threats through its 24/7 Duke Energy Cybersecurity Operations Center (CSOC), which serves as the Company s central command center for monitoring and coordinating responses to cyberthreats. The CSOC engages in daily information sharing within the utilities industry and with government partners and monitors incoming intelligence and cyber incident impacts. The CSOC assesses the relevant information by assigning a CIRT Heat Map score, which results in CIRT activation if a certain threat level is met. It also results in the assignment of additional roles and responsibilities to enable the cybersecurity leadership and technical teams to collectively and regularly review incident information, score the impact, communicate to leadership, and respond appropriately. Another key component of Duke Energy s first line of defense against cybersecurity threats is its Third-Party Risk Management (TPRM) process, whereby third parties providing services that meet certain criteria such as storing or transmitting Duke Energy data, hosting an application, or connecting to the Duke Energy network are required to undergo a cybersecurity assessment primarily to ascertain the risk of a third party s proposed services to Duke Energy. 32 CYBERSECURITY Duke Energy s second line of defense against cybersecurity threats is the EST, which is led by the CSISO, and actively evaluates, anticipates and tests Duke Energy s cybersecurity risk level and preventive and risk mitigation controls relative to the enterprisewide risk level and controls. The EST is responsible for infrastructure defense and security controls, performing vulnerability assessments and third-party information security assessments, employee awareness and training programs and security incident management, including oversight of the remediation of cybersecurity incidents. The EST monitors cyber activity and also reports on the status of the Company s cybersecurity performance and any ongoing remediation efforts to the Company s Chief Information Officer (CIO) and CSISO. The CIO and CSISO report these cybersecurity metrics, which use a vulnerability management scoring system and closely align with the National Institute of Standards and Technology Cybersecurity Framework, to the Audit Committee at each regularly scheduled Audit Committee meeting. The EST also employs tools and oversees and challenges Duke Energy s cybersecurity and technology metrics under its Enterprise Security Risk Register to track, identify and manage risk. To this end, the EST engages outside expert firms to perform a comprehensive external penetration test each year, performs system and application penetration testing several times throughout the year, and conducts annual exercises simulating the tactics, techniques, and procedures of advanced threat actor groups to test the Company s ability to prevent penetration, detect suspicious activity and respond to these threats in a timely manner. Lessons learned inform the ongoing improvement of security preventive and mitigating controls and procedures and the results of such testing and threat actor simulations are shared with senior management and the Board of Directors. Duke Energy also has a senior management committee, the Executive Cybersecurity Oversight Governance Committee (ECOG), which governs enterprise-level cybersecurity risk tolerance. Internal and external cybersecurity audits provide a third line of defense and independently provide assurance on how effectively the Company, as a whole, manages cybersecurity risk. Each year, Duke Energy Corporate Audit Services (CAS) performs various audits of key Duke Energy security systems and functions, such as third-party risk management programs, to assess whether appropriate security controls are in place and operating effectively. In addition to these internal audits, the Company is subject to a variety of external audits, performed periodically as required by the auditing entity, including external audits performed by the North American Electric Reliability Corporation under the Critical Infrastructure Protection framework (NERC CIP), Transportation & Security Administration Pipeline Security Directive and Federal Energy Regulatory Commission Dam Security. Duke Energy is not currently aware of any potential cybersecurity threats, including as a result of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, however, Duke Energy cannot provide assurance that it will not be materially affected in the future by cybersecurity risks or any future material incidents. Governance The Audit Committee has primary oversight of management s efforts to mitigate cybersecurity and technology risk and respond to cyber incidents. The Audit Committee receives updates throughout the year from the CIO and CSISO on cybersecurity and grid security issues, including compliance with regulations, employee training, and drills, at every regularly scheduled Audit Committee meeting, and engages in discussions throughout the year with management on the effectiveness of Duke Energy s overall cybersecurity program and progress for addressing any identified risks. In 2023, the Audit Committee received four updates on cybersecurity. The Audit Committee also receives periodic updates on Duke Energy s digital transformation and the operation of, and enhancements to, the Company s financial systems and business and operational technical systems. The reviews presented to the Audit Committee are followed with an update to the full Board of Directors by the Chair of the Audit Committee. In addition, the Operations and Nuclear Oversight Committee (ONOC) of the Board of Directors provides oversight of the nuclear safety and cybersecurity of Duke Energy s nuclear power program, which is integrated with the companywide cyber protocols, and the Chair of the ONOC reports out to the Board of Directors on such oversight activities. Duke Energy s nuclear cybersecurity program and associated cybersecurity plan (CSP) were fully implemented in 2017 in accordance with NRC regulation 10 CFR 73.54, Protection of digital computer and communication systems and networks and leverage monitoring, testing, drills, audits, assessments, and NRC inspections to continue to validate the effectiveness of the program to protect plant assets from cybersecurity threats. Moreover, Duke Energy s processes ensure that the Board of Directors receive contemporaneous reporting on potentially significant cyber events including response, legal obligations, and outreach and notification to regulators and customers when needed, as well as an opportunity to provide guidance to management as appropriate. In addition, the Company s Executive Cybersecurity Oversight Governance Committee (ECOG), comprised of the Company’s Chair, President, and Chief Executive Officer (CEO), Executive Vice President (EVP) and Chief Financial Officer, EVP and Chief Commercial Officer, EVP Customer Experience, Solutions and Services, and EVP, Chief Generation Officer and Enterprise Operational Excellence, receives monthly updates from the CIO and CSISO and provides senior management throughout the Company informational technology and operational technology perspectives, oversight and governance on investments and priorities for the broader cybersecurity organization, in addition to providing final decision oversight on recommendations and response to the ever challenging cybersecurity threat landscape. The ECOG also is leveraged to supply information and bring transparency to senior management throughout the company on the increasing threat landscape and the actions, response and road map to combat the threats. The relevant cybersecurity risk expertise of Duke Energy s management who serve on the ECOG and/or senior management who lead the CIRT and EST is described below. The CEO of Duke Energy has over 20 years of experience in the utilities industry, and has gained cybersecurity experience as CEO of one of America s largest utility companies, and through service on the board of the Edison Electric Institute, the Institute of Nuclear Power Operations, the World Association of Nuclear Operators, and past service on the Department of Homeland Security Advisory Council. The EVP and Chief Financial Officer of Duke Energy (CFO) previously served as the Company s Chief Transformation and Administrative Officer and led the Company s business transformation through digital innovation, new ways of working and process redesign. In this role, the CFO gained an in-depth understanding of the Company’s cybersecurity procedures and key threats, and was responsible for the enterprise business services and technology team, including the information and technology organization. The EVP, Chief Generation Officer and Enterprise Operational Excellence of Duke Energy has gained cybersecurity experience through being responsible for the safe, efficient and reliable operation of Duke Energy’s fleet of nuclear, natural gas, hydro, solar and coal units. 33 CYBERSECURITY The EVP, Customer Experience, Solutions and Services of Duke Energy has gained cybersecurity experience through focusing on transmission and the development of long-term grid strategies and solutions and through a prior role as Chief Distribution Officer, overseeing the safe, reliable, and efficient operation of Duke Energy s electric distribution systems, and through serving on the board of the Association of Edison Illuminating Companies. The EVP and Chief Commercial Officer of Duke Energy has cybersecurity experience gained through responsibility for enterprise technology and security, among other areas. The CSISO of Duke Energy has over 25 years of experience building and leading security teams within multiple industries. The CSISO holds a Secret Security clearance and is committed to strengthening U.S. critical infrastructure through active collaboration with federal partners at the Federal Bureau of Investigation, Department of Energy, Department of Homeland Security, and state partners including the national guard, law enforcement and universities. The CIO of Duke Energy has over 25 years of experience in delivering secure information technology solutions across multiple industries, leading technology delivery for all core business functions. The CIO holds a Secret Security clearance and has active interactions and partnership with the Federal Bureau of Investigation, Edison Electric Institute and State Fusion Centers in the jurisdictions that Duke Energy serves. 34 PROPERTIES

Company Information