ENBRIDGE INC 10-K Cybersecurity GRC - 2026-02-13

Page last updated on February 13, 2026

ENBRIDGE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-13 07:05:44 EST.

Filings

10-K filed on 2026-02-13

ENBRIDGE INC filed a 10-K at 2026-02-13 07:05:44 EST
Accession Number: 0001193125-26-049810

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C . CYBERSECURITY Cybersecurity risk management, strategy and governance Oversight of cybersecurity is integrated into the responsibilities of the Board and its committees. The Board is responsible for identifying and understanding Enbridge's principal risks so that appropriate systems are implemented to monitor, manage and mitigate those risks. The committees of the Board have oversight over risks within their respective mandates. The Audit, Finance and Risk Committee (AFRC) has primary oversight of cybersecurity matters, including the integrity of financial data and public disclosures, the security of the cyber landscape across data and digital, and operational and financial risk and controls. Management provides quarterly cybersecurity reports to the AFRC and the Board and also reports to the Safety and Reliability Committee, as deemed necessary, on cybersecurity issues related to safety, reliability and operations. Each year, management prepares and provides the Board and its committees with a corporate risk assessment (CRA), which analyzes and prioritizes enterprise-wide risks, highlighting top risks and trends (including cybersecurity). The annual CRA is an integrated enterprise-wide process which engages each part of our business to assess and rank risks based on impact and probability. We strive to ensure that mitigation measures are appropriately designed, prioritized and resourced. The CRA report is reviewed by the Board committees with responsibility for the risk categories relevant to their mandate and is provided to the Board, which coordinates Enbridge's overall risk management approach. Complementary to the CRA, management prepares and provides to the Safety and Reliability Committee an annual top operational risk report that highlights the highest consequence operational risks across Enbridge and includes further detail on the risks and their treatment. This information helps inform the Board about the potential impact of top operational risks and of treatments in place to manage those risks. Cybersecurity has been identified as a top risk, driven by the growing sophistication and frequency of attacks targeting our industry over the years, compounded by geopolitical instability and the rapid advancement of technologies leveraged by threat actors. Although we devote significant resources and security measures to prevent unwanted intrusions and to protect our systems and data, we (and our third-party vendors) have experienced, and expect to continue to experience, cyber attacks of varying degrees in the conduct of our business, including, for example, denial of service attacks. Cybersecurity risk is described in Item 1A. Risk Factors . Enbridge's management is responsible for the implementation of risk management strategies and monitoring performance. The technology and information services function is centralized under the Senior Vice President & Chief Information Officer (CIO). We also engage independent third parties to assess our cybersecurity program, track their recommendations, and use those to further improve the program. Reporting to the CIO is the Chief Information Security Officer who is in charge of our cybersecurity program and oversees the 24x7x365 Security Operations Center (SOC). We conduct continuous assessments of our cybersecurity standards, perform regular tests of our ability to respond and recover, and monitor for potential threats. To further mitigate threats, we collaborate with governments and regulatory agencies and take part in external events to learn and share. Our workforce participates in regular security awareness training, including simulated phishing exercises to enhance our capabilities to identify and report suspicious phishing emails to our SOC. We continue to expand the cybersecurity training offerings to include tailored training and phishing simulations to higher-risk groups within the organization. Additionally, tailored cybersecurity training courses have been implemented for team members in operational technology and software development roles, and we have increased the frequency of phishing simulation tests. 58 We have a cybersecurity third-party risk management program, which is an evolving, cross-functional program to help assess and mitigate risks from third-party vendors and other service providers. We complete risk assessments for all business-identified critical and high-spend vendors and address security issues. We are proactively monitoring critical vendors using real time monitoring tools to identify vendor vulnerabilities that could lead to a breach. This is a complementary tool to the several layers of defense and protection technologies we use, the cybersecurity experts we employ, and the automated alerting and response mechanisms, in order to reduce risk to Enbridge. Although cybersecurity risks have not materially affected us , including our business strategy, results of operations or financial condition, to date, we have experienced an increasing number of cybersecurity threats in recent years. For more information about the cybersecurity risks we face, see the risk factor entitled " Cyber attacks and other cybersecurity incidents pose significant threats to our technology systems and could materially adversely affect our business, operations, reputation or financial results ." in Item 1A. Risk Factors .

Company Information