IPALCO ENTERPRISES, INC. 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

IPALCO ENTERPRISES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 21:44:03 EST.

Filings

10-K filed on 2024-02-26

IPALCO ENTERPRISES, INC. filed an 10-K at 2024-02-26 21:44:03 EST
Accession Number: 0000728391-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We recognize the importance of maintaining the safety and security of our people, systems, and data and have a holistic process, supported by our management and Board of Directors, for overseeing and managing cybersecurity and related risks. As part of AES, we are also supported by AES cyber risk management program. AES Chief Information Security Officer ( CISO ) reports to AES General Counsel and is the head of the Company s cybersecurity team. The CISO is responsible for assessing and managing AES cyber risk management program globally, including IPALCO and its subsidiaries. In this role, the CISO informs senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. AES CISO has extensive experience assessing and managing cybersecurity programs and cybersecurity risk and has served in that position since 2020. The CISO manages a global team of cybersecurity professionals with broad experience and expertise, including in cybersecurity threat assessments and detection, cloud security, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. We rely on threat intelligence as well as other information obtained from governmental, public, or private sources, including contracted external consultants. The global team includes local cyber security professionals that manage the operational technology (OT) network security of IPALCO to demonstrate compliance with the NERC-Critical Infrastructure Protection (CIP) standards and IURC regulation. 36 The Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The CISO briefs the Board of Directors on the effectiveness of our cyber risk management program periodically and as needed. We consider cybersecurity as part of the enterprise risk process, including organized and structured reporting protocols. The prioritization of cybersecurity risk is aligned with overall risk management processes. In addition, the Company s management team considers risks relating to cybersecurity, among other significant risks, and applicable mitigation plans to address such risks, at monthly performance review meetings. The Company’s CEO, CFO and other members of senior management participate in such meetings. We have also established an Incident Response Team and associated protocol led by AES CISO that governs our assessment, response, and notifications internally and externally upon the occurrence of a cybersecurity incident. Depending on the nature and severity of an incident, this protocol provides for escalating notification to our CEO and the Board. We regularly practice our incident response through executive tabletop exercises. Our policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are informed by frameworks established by the National Institute of Standards and Technology ( NIST ) and other applicable industry standards. Our cybersecurity program addresses threats in a prioritized manner and, in particular, focuses on the following key areas: gap analysis to identify programmatic opportunities for improvement that can be incorporated into the cyber strategy; policies and standards that are annually reviewed and communicated; exceptions management and internal audits that support cybersecurity requirements through assessing control implementation risks; and monitoring and regular reporting of cyber resilience and posture at operational and strategic levels. We engage assessors, consultants, auditors, or other third parties in connection with any such processes, including: external vulnerability assessments, including penetration tests; internal audit reviews; threat intelligence; incident management; audits of NERC-Critical Infrastructure Protection regulated environments by the NERC Registered Regional Entity; and program development support, as needed. Our risk management program for third-party service providers includes risk-based assessments of their interactions with our data and systems. We implement monitoring and response processes for key third-party service providers. We provide awareness training to our employees to help identify, avoid, and mitigate cybersecurity threats. Our employees participate in training, including phishing exercises, monthly safety meetings, and an annual cybersecurity awareness update. We also periodically host tabletop exercises with management and other employees to practice rapid cyber incident response. We face cybersecurity risks in connection with our business. Although such risks have not materially affected us to date, we have, from time to time, experienced threats to and breaches of our data and systems. For more information about the cybersecurity risks we face, see the risk factor entitled Potential security breaches (including cybersecurity breaches) and terrorism risks could materially and adversely affect our business in Item 1A Risk Factors of this Annual Report on Form 10-K. 37

Company Information