OGLETHORPE POWER CORP 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

OGLETHORPE POWER CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 17:20:10 EDT.

Filings

10-K filed on 2024-03-25

OGLETHORPE POWER CORP filed an 10-K at 2024-03-25 17:20:10 EDT
Accession Number: 0001628280-24-012944

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our generating facilities are part of the United States energy infrastructure system and we face a myriad of cybersecurity threats. As such, cybersecurity is an area of continuous focus and we maintain a comprehensive cybersecurity risk management program with processes in place to assess, identify and manage cybersecurity risks. Our management and oversight of direct and indirect cybersecurity risks and our response to any cybersecurity incident is an integral part of our business. We have a long-standing focus on cybersecurity risks and compliance with applicable safety protocols. Our primary cybersecurity focus areas are plant infrastructure, data privacy, and outsourced services. Within these areas, we maintain multi-faceted, layered security programs designed to protect and preserve the confidentiality, integrity and availability of data and systems. Within our organization, we have a mature information technology security program and cybersecurity responsibilities are clearly defined. We regularly invest in technology and information system upgrades designed to prevent, detect and respond to attacks. We also perform tabletop exercises for executive leadership. We require all employees to complete quarterly cybersecurity-related training and awareness programs. We review the cybersecurity practices of our vendors who provide goods and/or services that could impact our plant control systems and require contractors with access to our plant control rooms to complete annual cybersecurity-related training. We also require enhanced diligence reviews on all contractors and employees who have access to our plant control systems. As part of the nation s critical infrastructure network, we are subject to certain mandatory reliability standards, which include cyber security requirements. We have a formal compliance program to establish, monitor and maintain compliance that includes comprehensive cybersecurity elements designed to protect and preserve our critical information and energy infrastructure systems. We reference industry and government frameworks and best practices to continuously improve our cybersecurity program and we participate in industry groups and information sharing exchanges to understand emerging cybersecurity trends and threats. Georgia Transmission and Georgia System Operations provide us with certain transmission and system operations services that enable us to deliver energy to our members. As part of our risk management approach, we coordinate our cybersecurity preparedness and response planning with Georgia Transmission and Georgia System Operations. As part of our approach to cyber risk management, we regularly perform internal audits of internal processes and controls relating to cybersecurity to assess and enhance the effectiveness of our security programs. From time to time, as appropriate under our overall cybersecurity program, we engage third-party experts to support and audit our cybersecurity preparedness. We have also adopted cybersecurity incident response guidelines. As required by these guidelines, teams and plans are in place to respond to any cyber security incident, including internal and external communication responsibilities. As of the date of this annual report, we have not experienced any cyber security incident that has materially affected our business. See RISK FACTORS for a discussion of cybersecurity risks that may affect us. Governance Our board of directors, along with the audit committee of our board of directors, is responsible for oversight of our cybersecurity risks and receives regular reports regarding our assessment and management of cybersecurity risks and information regarding any significant cybersecurity incidents. Our board has adopted a policy regarding cybersecurity and delegated administration of the policy to our President and Chief Executive Officer. Currently, our risk management and compliance committee, comprised of our chief executive officer, chief operating officer, chief financial officer, and the executive vice president of member and external relations, assesses and monitors material risks from cybersecurity threats. Members of our risk management and compliance committee receive regular updates regarding the prevention, mitigation, and detection of cybersecurity incidents and would oversee the response and remediation of any material cybersecurity incident. Our risk management and compliance committee also ensures our board of directors is briefed on cybersecurity risks, makes materiality determinations with regards to cybersecurity risks and monitors the active management of cybersecurity risks by internal and external teams. For additional information regarding 33 Table of Contents our board of directors risk oversight activities, see DIRECTORS, EXECUTIVE OFFICERS AND CORPORATE GOVERNANCE Board of Directors Role in Risk Oversight. 34 Table of Contents

Company Information