OLD DOMINION ELECTRIC COOPERATIVE 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

OLD DOMINION ELECTRIC COOPERATIVE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 13:15:16 EDT.

Filings

10-K filed on 2024-03-12

OLD DOMINION ELECTRIC COOPERATIVE filed an 10-K at 2024-03-12 13:15:16 EDT
Accession Number: 0000950170-24-029768

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management We operate in a highly regulated industry that requires the continued operation of advanced information technology systems and network infrastructure and we recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. We manage these risks from cybersecurity threats through our enterprise risk management process which is overseen by our board of directors through an enterprise risk management policy. This policy requires a risk management committee, which is chaired by our President and CEO and also includes our other executive officers, and which is responsible for managing our risks including cybersecurity. The risk management committee meets on a monthly basis, and can be convened as needed to address any time-sensitive matters arising between scheduled meeting dates. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, investigate, resolve, remediate, and recover from identified vulnerabilities and security incidents in a timely manner. To address potential material cybersecurity risk in association with the use of third-party providers, we require they meet minimum security requirements. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We identify and address cybersecurity threats through a multi-faceted approach including internal IT assessments and procedures, third-party assessments, internal audits, governance, and risk and compliance reviews. Identifying and assessing cybersecurity risk is integrated into our overall risk management processes. We conduct proactive cybersecurity reviews of our systems and applications, audit applicable processes and applications, perform testing on our security controls, conduct exercises to simulate cybersecurity incidents, conduct employee training, and monitor emerging laws and regulations related to data protection and information security. We evaluate the results and responses to these efforts and implement appropriate changes to improve our security measures. In accordance with our board policy for incident management and business continuity planning, we have implemented security incident response plans and security incident response teams. These teams include members from multiple functional areas of our organization that identify, investigate, respond, and resolve cybersecurity incidents. Cybersecurity incidents are evaluated and ranked by severity and prioritized for response. We also evaluate the need to include the use of third parties to assist us in the response to a cybersecurity incident. Our Senior Vice President and COO leads the security response teams, and the activities of the security response teams are overseen by our senior management team. Based on the severity of incident, members of the senior management team determine whether the incident requires immediate escalation to our board of directors. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents have been immaterial. This includes penalties and settlements, of which there were none. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business operations and financial condition. See Risk Factors in Item 1A. Cybersecurity Governance Our board of directors oversees our biennial enterprise risk assessment process that we utilize to assess key risks within the company, including security and technology risks and cybersecurity threats. The audit committee of our board of directors oversees our internal control over financial reporting, including with respect to financial reporting-related information systems. The audit committee receives internal audit reports conducted by an independent audit firm on various 23 cybersecurity matters. In addition, our risk management committee reviews and evaluates reports monthly, and as needed, related to cybersecurity activity and incidents.

Company Information