TAMPA ELECTRIC CO 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

TAMPA ELECTRIC CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 06:11:16 EST.

Filings

10-K filed on 2024-02-26

TAMPA ELECTRIC CO filed an 10-K at 2024-02-26 06:11:16 EST
Accession Number: 0000950170-24-019720

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY TEC assesses, identifies, and manages material risks from cybersecurity threats under the governance of its Cyber Security Framework and Information Security Policy, as well as several related policies and procedures addressing areas such as threat vulnerability management, cyber risk management, data protection and classification, network security, access control, incident response, security awareness, employee training and asset management. These policies and related standards require identification of all Information Technology (IT) and Operational Technology (OT) critical facilities and/or cyber assets, and sufficient controls for IT and OT asset inventory, including responsibilities for assets, information owners, and asset disposition processes. From a security perspective, TEC s Information Security group is directed at protecting all aspects of data and how information is stored, transmitted, processed, and used in business processes. TEC s Corporate Security group is responsible for protecting physical assets including critical facilities, protection of employees, and related physical security risks. TEC s Information Security group of the Information Technology department has the direct responsibility for developing, monitoring, and enforcing information security standards and procedures; reviewing and approving all network interconnections for compliance to security standards; and assisting, consulting, and training individuals throughout TEC in the use of appropriate information security practices. This group is responsible for ensuring that all IT and OT cyber systems, assets, and networks are aligned with Emera and affiliate cybersecurity framework. TEC engages independent third party consultants from time to time to assess the adequacy of its cybersecurity measures and assist in implementing any appropriate actions to address any vulnerabilities identified. In addition, TEC participates in an Electric Power Research Institute (EPRI) research project to develop cybersecurity performance metrics. EPRI offers a web-based platform, which supports automated cybersecurity data collection, security metrics calculation, visualization, and analysis. The Vice President of Information Technology and Chief Information Officer (CIO), who reports to the President and Chief Executive Officer, oversees this group and is responsible for managing the program, in collaboration with TEC s businesses and functions. TEC s CIO has advanced degrees in computer science and extensive experience in cybersecurity and information technology, including many years of experience at large organizations leading cybersecurity, IT processes and controls, strategy, architecture, delivery and support of IT applications, and overseeing large groups of employees and contractors responsible for carrying out these responsibilities. TEC s Vendor Risk Management process includes conducting risk assessments to identify and monitor cybersecurity risks associated with third-party service providers, including threat detection and security event notifications. TEC also has requirements for third-party service providers which include regulatory compliance and meeting the National Institute of Standards and Technology Cybersecurity Framework policy and standards. TEC s processes also provide for mitigating cybersecurity risk from third parties through seeking to include in its agreements with third-party service providers, as applicable, cybersecurity provisions designed to appropriately address such risks. TEC s IT Business Continuity Emergency Contingency Response Plan is updated periodically and reviewed at least annually. This plan includes guidelines for the escalation and communication of cybersecurity incidents, including a requirement to timely report to TEC s executive leadership and Board of Directors based on an assessment of the risk and other specified criteria. TEC has established a cyber incident response team to prepare for, mitigate, and remediate cybersecurity incidents, which is integrated within Emera s enterprise crisis management framework. Cybersecurity risks are integrated into TEC s overall risk management process through the collaboration of the cybersecurity professionals and TEC s and Emera s risk management functions to assess threat levels on an affiliate and corporate basis and identify steps and resources appropriate to manage such risks. The Board of Directors oversees the management of risks from cybersecurity threats through receiving regular reports from the CIO, which include updates on TEC s performance with preparing, preventing, detecting, responding to, mitigating, and recovering from cybersecurity incidents. Should a cybersecurity threat or incident pose a significant risk to TEC, TEC’s processes provide that the CIO, through the CEO, as appropriate, would promptly inform the Board regarding any such threat or incident. The CIO also provides regular updates on the key elements of its cybersecurity program to the Emera Board s Risk and Sustainability Committee, which has oversight over Emera s enterprise risk management framework, including oversight over cybersecurity risk. While to date TEC has not detected a significant compromise of its cybersecurity systems, significant data loss or any material financial losses related to cybersecurity attacks, it is possible that TEC could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats. See Item 1A. Risk Factors, TEC is exposed to potential risks related to cyberattacks and unauthorized access, which could cause system failures, disrupt operations or adversely affect safety for a further discussion of risks related to cybersecurity.

Company Information