Cleco Corporate Holdings LLC 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

Cleco Corporate Holdings LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 16:09:00 EST.

Filings

10-K filed on 2024-03-08

Cleco Corporate Holdings LLC filed an 10-K at 2024-03-08 16:09:00 EST
Accession Number: 0001089819-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management, Strategy, and Governance Cybersecurity Integration with overall risk management Cleco s business operations rely on complex and evolving operational and information technology systems and network infrastructures. Digital information, information technology, and automation are essential components of Cleco s operations and growth strategy. Cleco continues to assess its cybersecurity tools and processes and has taken a variety of actions to monitor and address cyber-related risks. These cybersecurity tools and assessments are embedded in Cleco s overall enterprise risk management system. Cleco utilizes the following tools, methodologies, and standards to assess, identify, and manage material cybersecurity risks: NERC CIP standards, which protect Cleco s operational technology, National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which protects Cleco s operational and information technology, Sarbanes-Oxley Act (SOX) regulations, which require Cleco to maintain access and security controls for certain systems that are essential to the completeness and accuracy of financial reporting, internal and third-party assessments to identify and prioritize risks, Cybersecurity Incident Response Plans (CSIRPs), and a security operations center managed 24 hours a day by a third party. Processes to assess, identify, and manage material risks Cleco has processes and procedures in place to ensure its cybersecurity program is operating effectively and members of Cleco s EMT routinely review its cybersecurity strategy, policy, program effectiveness, standards enforcement, and cybersecurity issue management. Cleco conducts risk assessments and compliance audits against standards including the NIST CSF, NERC CIP, and SOX. Cleco also engages with a variety of independent third parties, such as assessors, consultants, and auditors, for periodic audits and reviews of cybersecurity threats and related controls, including review of periodic penetration tests, regular patch reviews from vendors listing relevant risks, industry alerts and forums, and tabletop exercises. These assessment results are used to develop appropriate cybersecurity controls and risk mitigation strategies, which are implemented throughout the organization. Cleco also utilizes its Internal Audit department to review its cybersecurity program, in which findings are reported to the Audit Committee. Cleco s CSIRPs help ensure a timely, consistent, and compliant response to actual or attempted cybersecurity incidents impacting Cleco. These response plans include detection, analysis, containment, eradication, recovery, post-incident review, and timely notice to relevant stakeholders, including Cleco s Audit Committee, once an incident is deemed to be potentially significant or material. Cleco maintains a formal cybersecurity training program for all employees that includes training on matters such as phishing and email security best practices. Employees are also required to complete compulsory training on data privacy. Cleco also provides specialized security training for certain other employee roles. Processes to oversee and identify material risks associated with use of third-party service providers Cleco is implementing processes to manage the cybersecurity risks associated with its use of third-party service providers. Additionally, Cleco is actively reviewing and updating all third-party service contracts upon renewal for potential amendments related to security, confidentiality, and recourse in the event of a negligent incident, such as a breach, loss, or unauthorized use of Cleco s data. These measures provide the structure for managing Cleco s cyber-related risks. Management s oversight Cleco maintains a cybersecurity program overseen by its Chief Administrative and Sustainability Officer, EMT, and Audit Committee that uses a risk-based methodology to support the security, confidentiality, integrity, and availability of information. This program is integrated within Cleco s enterprise risk management program, which utilizes the Enterprise Risk Management Committee to collaboratively manage and advance enterprise-wide risk management processes. Cleco s Disclosure Committee, which is comprised of EMT and the Chief Accounting Officer, is the means in which cybersecurity matters are assessed for disclosure requirements. Cleco s EMT sets enterprise risk strategies and makes risk-informed decisions that include the assessment and response to 27 CLECO CLECO POWER 2023 FORM 10-K cybersecurity risk. In March 2024, management began engaging in quarterly discussions with the Audit Committee regarding incidents of any magnitude experienced during the quarter, strategies and significant risk exposures, as well as the measures implemented to monitor and control these risks. These discussions may include the results of internal and third party risk assessments and audit results, and management s plans to improve its cybersecurity posture using a risk-based approach. Cleco s cybersecurity team, overseen by the Chief Administrative and Sustainability Officer, has decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes. Members of this team have extensive technical and leadership experience in federal and/or private sector environments as well as industry-recognized cybersecurity certifications. This team relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by Cleco. Cleco s Audit Committee oversees the management of its cybersecurity risk and is responsible for communicating cyber-related incidents to its Boards of Managers. Risks and previous events with material effects It is possible that Cleco s information technology systems and networks, or those managed by third parties, could have vulnerabilities and those vulnerabilities could go unnoticed for a period of time. Cleco may also be exposed to, and adversely affected by, interruptions to its computer and information technology systems, and sophisticated cyberattacks, including cybersecurity threats and vulnerabilities in its systems, malware, and attacks targeting its information technology systems and networks. Any such prior events, to date, have not had a material impact on Cleco s results of operations, financial condition or cash flows. While various procedures and controls have been and are being utilized to mitigate such risks, there can be no guarantee that the actions and controls Cleco has implemented and is implementing, or which Cleco causes or has caused third party providers to implement, will be sufficient to protect its systems, information or other property. For more discussion of potential cyber threats that may affect Cleco, see Item 1A, Risk Factors Operational Risks Technology and Terrorism Threats.

Company Information